From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- .../legacy/an_overview_of_nss_internals/index.rst | 302 + .../nss/doc/rst/legacy/blank_function/index.rst | 70 + security/nss/doc/rst/legacy/building/index.rst | 159 + .../rst/legacy/cert_findcertbydercert/index.rst | 64 + .../legacy/cert_findcertbyissuerandsn/index.rst | 82 + .../certificate_download_specification/index.rst | 186 + .../doc/rst/legacy/certificate_functions/index.rst | 410 + .../nss/doc/rst/legacy/certverify_log/index.rst | 55 + .../nss/doc/rst/legacy/code_coverage/index.rst | 73 + .../rst/legacy/cryptography_functions/index.rst | 500 + .../rst/legacy/deprecated_ssl_functions/index.rst | 34 + .../index.rst | 1206 ++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 ++ security/nss/doc/rst/legacy/faq/index.rst | 280 + .../legacy/fips_mode_-_an_explanation/index.rst | 129 + .../nss/doc/rst/legacy/http_delegation/index.rst | 105 + .../doc/rst/legacy/http_delegation_clone/index.rst | 105 + security/nss/doc/rst/legacy/index.rst | 178 + security/nss/doc/rst/legacy/index/index.rst | 11751 +++++++++++++++++++ .../index.rst | 162 + .../rst/legacy/jss/4.3.1_release_notes/index.rst | 174 + .../doc/rst/legacy/jss/4_3_releasenotes/index.rst | 175 + .../jss/build_instructions_for_jss_4.3.x/index.rst | 99 + .../jss/build_instructions_for_jss_4.4.x/index.rst | 19 + security/nss/doc/rst/legacy/jss/index.rst | 165 + security/nss/doc/rst/legacy/jss/jss_faq/index.rst | 217 + .../rst/legacy/jss/jss_provider_notes/index.rst | 489 + .../jss/mozilla-jss_jca_provider_notes/index.rst | 472 + .../nss/doc/rst/legacy/jss/using_jss/index.rst | 152 + .../nss/doc/rst/legacy/key_log_format/index.rst | 61 + .../nss/doc/rst/legacy/memory_allocation/index.rst | 52 + .../doc/rst/legacy/modutil-tasks.html/index.rst | 24 + security/nss/doc/rst/legacy/more_docs.rst | 10 + .../nss/doc/rst/legacy/new_nss_samples/index.rst | 41 + .../index.rst | 172 + security/nss/doc/rst/legacy/nroff/certutil.1 | 2165 ++++ security/nss/doc/rst/legacy/nroff/cmsutil.1 | 271 + security/nss/doc/rst/legacy/nroff/crlutil.1 | 389 + security/nss/doc/rst/legacy/nroff/derdump.1 | 92 + security/nss/doc/rst/legacy/nroff/modutil.1 | 1452 +++ security/nss/doc/rst/legacy/nroff/pk12util.1 | 872 ++ security/nss/doc/rst/legacy/nroff/pp.1 | 108 + security/nss/doc/rst/legacy/nroff/signtool.1 | 681 ++ security/nss/doc/rst/legacy/nroff/signver.1 | 318 + security/nss/doc/rst/legacy/nroff/ssltap.1 | 609 + security/nss/doc/rst/legacy/nroff/vfychain.1 | 169 + security/nss/doc/rst/legacy/nroff/vfyserv.1 | 70 + .../nss_3.11.10_release_notes.html/index.rst | 174 + .../legacy/nss_3.12.1_release_notes.html/index.rst | 255 + .../legacy/nss_3.12.2_release_notes.html/index.rst | 217 + .../legacy/nss_3.12_release_notes.html/index.rst | 919 ++ .../rst/legacy/nss_3.37.3release_notes/index.rst | 72 + .../doc/rst/legacy/nss_api_guidelines/index.rst | 882 ++ .../doc/rst/legacy/nss_config_options/index.rst | 217 + .../rst/legacy/nss_developer_tutorial/index.rst | 277 + .../legacy/nss_release_notes_template/index.rst | 126 + security/nss/doc/rst/legacy/nss_releases/index.rst | 161 + .../nss_releases/jss_4.4.0_release_notes/index.rst | 109 + .../nss_3.12.3_release_notes/index.rst | 432 + .../nss_3.12.4_release_notes/index.rst | 327 + .../nss_3.12.5_release_notes/index.rst | 285 + .../nss_3.12.6_release_notes/index.rst | 318 + .../nss_3.12.9_release_notes/index.rst | 144 + .../nss_3.14.1_release_notes/index.rst | 127 + .../nss_3.14.2_release_notes/index.rst | 103 + .../nss_3.14.3_release_notes/index.rst | 132 + .../nss_3.14.4_release_notes/index.rst | 82 + .../nss_3.14.5_release_notes/index.rst | 82 + .../nss_releases/nss_3.14_release_notes/index.rst | 174 + .../nss_3.15.1_release_notes/index.rst | 131 + .../nss_3.15.2_release_notes/index.rst | 126 + .../nss_3.15.3.1_release_notes/index.rst | 89 + .../nss_3.15.3_release_notes/index.rst | 94 + .../nss_3.15.4_release_notes/index.rst | 137 + .../nss_3.15.5_release_notes/index.rst | 93 + .../nss_releases/nss_3.15_release_notes/index.rst | 157 + .../nss_3.16.1_release_notes/index.rst | 97 + .../nss_3.16.2.1_release_notes/index.rst | 99 + .../nss_3.16.2.2_release_notes/index.rst | 81 + .../nss_3.16.2.3_release_notes/index.rst | 110 + .../nss_3.16.2_release_notes/index.rst | 114 + .../nss_3.16.3_release_notes/index.rst | 171 + .../nss_3.16.4_release_notes/index.rst | 75 + .../nss_3.16.5_release_notes/index.rst | 98 + .../nss_3.16.6_release_notes/index.rst | 81 + .../nss_releases/nss_3.16_release_notes/index.rst | 98 + .../nss_3.17.1_release_notes/index.rst | 132 + .../nss_3.17.2_release_notes/index.rst | 88 + .../nss_3.17.3_release_notes/index.rst | 134 + .../nss_3.17.4_release_notes/index.rst | 90 + .../nss_releases/nss_3.17_release_notes/index.rst | 72 + .../nss_3.18.1_release_notes/index.rst | 105 + .../nss_releases/nss_3.18_release_notes/index.rst | 169 + .../nss_3.19.1_release_notes/index.rst | 113 + .../nss_3.19.2.1_release_notes/index.rst | 88 + .../nss_3.19.2.2_release_notes/index.rst | 84 + .../nss_3.19.2.3_release_notes/index.rst | 84 + .../nss_3.19.2.4_release_notes/index.rst | 82 + .../nss_3.19.2_release_notes/index.rst | 94 + .../nss_3.19.3_release_notes/index.rst | 117 + .../nss_3.19.4_release_notes/index.rst | 88 + .../nss_releases/nss_3.19_release_notes/index.rst | 119 + .../nss_3.20.1_release_notes/index.rst | 88 + .../nss_3.20.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.20_release_notes/index.rst | 140 + .../nss_3.21.1_release_notes/index.rst | 80 + .../nss_3.21.2_release_notes/index.rst | 70 + .../nss_3.21.3_release_notes/index.rst | 78 + .../nss_3.21.4_release_notes/index.rst | 75 + .../nss_releases/nss_3.21_release_notes/index.rst | 277 + .../nss_3.22.1_release_notes/index.rst | 69 + .../nss_3.22.2_release_notes/index.rst | 90 + .../nss_3.22.3_release_notes/index.rst | 70 + .../nss_releases/nss_3.22_release_notes/index.rst | 194 + .../nss_releases/nss_3.23_release_notes/index.rst | 192 + .../nss_releases/nss_3.24_release_notes/index.rst | 201 + .../nss_3.25.1_release_notes/index.rst | 80 + .../nss_releases/nss_3.25_release_notes/index.rst | 140 + .../nss_3.26.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.26_release_notes/index.rst | 91 + .../nss_3.27.1_release_notes/index.rst | 92 + .../nss_3.27.2_release_notes/index.rst | 84 + .../nss_releases/nss_3.27_release_notes/index.rst | 149 + .../nss_3.28.1_release_notes/index.rst | 148 + .../nss_3.28.2_release_notes/index.rst | 79 + .../nss_3.28.3_release_notes/index.rst | 95 + .../nss_3.28.4_release_notes/index.rst | 77 + .../nss_3.28.5_release_notes/index.rst | 116 + .../nss_releases/nss_3.28_release_notes/index.rst | 170 + .../nss_3.29.1_release_notes/index.rst | 94 + .../nss_3.29.2_release_notes/index.rst | 71 + .../nss_3.29.3_release_notes/index.rst | 73 + .../nss_3.29.5_release_notes/index.rst | 75 + .../nss_releases/nss_3.29_release_notes/index.rst | 68 + .../nss_3.30.1_release_notes/index.rst | 73 + .../nss_3.30.2_release_notes/index.rst | 115 + .../nss_releases/nss_3.30_release_notes/index.rst | 125 + .../nss_3.31.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.31_release_notes/index.rst | 129 + .../nss_releases/nss_3.32_release_notes/index.rst | 143 + .../nss_releases/nss_3.33_release_notes/index.rst | 115 + .../nss_3.34.1_release_notes/index.rst | 94 + .../nss_releases/nss_3.34_release_notes/index.rst | 215 + .../nss_releases/nss_3.35_release_notes/index.rst | 273 + .../nss_3.36.1_release_notes/index.rst | 84 + .../nss_3.36.2_release_notes/index.rst | 75 + .../nss_3.36.4_release_notes/index.rst | 68 + .../nss_3.36.5_release_notes/index.rst | 69 + .../nss_3.36.6_release_notes/index.rst | 73 + .../nss_3.36.7_release_notes/index.rst | 74 + .../nss_3.36.8_release_notes/index.rst | 90 + .../nss_releases/nss_3.36_release_notes/index.rst | 78 + .../nss_3.37.1_release_notes/index.rst | 75 + .../nss_releases/nss_3.37_release_notes/index.rst | 112 + .../nss_releases/nss_3.38_release_notes/index.rst | 106 + .../nss_releases/nss_3.39_release_notes/index.rst | 149 + .../nss_3.40.1_release_notes/index.rst | 81 + .../nss_releases/nss_3.40_release_notes/index.rst | 102 + .../nss_3.41.1_release_notes/index.rst | 76 + .../nss_releases/nss_3.41_release_notes/index.rst | 163 + .../nss_3.42.1_release_notes/index.rst | 65 + .../nss_releases/nss_3.42_release_notes/index.rst | 143 + .../nss_releases/nss_3.43_release_notes/index.rst | 151 + .../nss_3.44.1_release_notes/index.rst | 140 + .../nss_3.44.2_release_notes/index.rst | 72 + .../nss_3.44.3_release_notes/index.rst | 76 + .../nss_3.44.4_release_notes/index.rst | 69 + .../nss_releases/nss_3.44_release_notes/index.rst | 146 + .../nss_releases/nss_3.45_release_notes/index.rst | 224 + .../nss_3.46.1_release_notes/index.rst | 72 + .../nss_releases/nss_3.46_release_notes/index.rst | 219 + .../nss_3.47.1_release_notes/index.rst | 78 + .../nss_releases/nss_3.47_release_notes/index.rst | 179 + .../nss_3.48.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.48_release_notes/index.rst | 178 + .../nss_3.49.1_release_notes/index.rst | 71 + .../nss_3.49.2_release_notes/index.rst | 76 + .../nss_releases/nss_3.49_release_notes/index.rst | 103 + .../nss_releases/nss_3.50_release_notes/index.rst | 120 + .../nss_3.51.1_release_notes/index.rst | 79 + .../nss_releases/nss_3.51_release_notes/index.rst | 103 + .../nss_3.52.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.52_release_notes/index.rst | 158 + .../nss_3.53.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.53_release_notes/index.rst | 128 + .../nss_releases/nss_3.54_release_notes/index.rst | 184 + .../nss_releases/nss_3.55_release_notes/index.rst | 135 + .../nss_releases/nss_3.56_release_notes/index.rst | 98 + .../nss_releases/nss_3.57_release_notes/index.rst | 151 + .../nss_releases/nss_3.58_release_notes/index.rst | 76 + .../nss_3.59.1_release_notes/index.rst | 57 + .../nss_releases/nss_3.59_release_notes/index.rst | 108 + .../nss_3.60.1_release_notes/index.rst | 58 + .../nss_releases/nss_3.60_release_notes/index.rst | 144 + .../nss_releases/nss_3.61_release_notes/index.rst | 65 + .../nss_releases/nss_3.62_release_notes/index.rst | 84 + .../nss_3.63.1_release_notes/index.rst | 66 + .../nss_releases/nss_3.63_release_notes/index.rst | 90 + .../nss_releases/nss_3.64_release_notes/index.rst | 69 + .../enc_dec_mac_output_plblic_key_as_csr/index.rst | 1697 +++ .../index.rst | 2090 ++++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 ++ .../nss/doc/rst/legacy/nss_sample_code/index.rst | 31 + .../nss_sample_code_sample1/index.rst | 713 ++ .../nss_sample_code_sample2/index.rst | 166 + .../nss_sample_code_sample3/index.rst | 169 + .../nss_sample_code_sample4/index.rst | 158 + .../nss_sample_code_sample5/index.rst | 174 + .../nss_sample_code_sample6/index.rst | 153 + .../nss_sample_code_sample_1_hashing/index.rst | 253 + .../index.rst | 257 + .../index.rst | 1221 ++ .../nss_sample_code_utililies_1/index.rst | 553 + .../rst/legacy/nss_sample_code/sample1/index.rst | 230 + .../nss_sample_code/sample1_-_hashing/index.rst | 257 + .../rst/legacy/nss_sample_code/sample2/index.rst | 12 + .../sample2_-_initialize_nss_database/index.rst | 250 + .../index.rst | 30 + .../utiltiies_for_nss_samples/index.rst | 747 ++ .../legacy/nss_sources_building_testing/index.rst | 123 + .../nss/doc/rst/legacy/nss_tech_notes/index.rst | 23 + .../legacy/nss_tech_notes/nss_tech_note1/index.rst | 196 + .../legacy/nss_tech_notes/nss_tech_note2/index.rst | 167 + .../legacy/nss_tech_notes/nss_tech_note3/index.rst | 234 + .../legacy/nss_tech_notes/nss_tech_note4/index.rst | 221 + .../legacy/nss_tech_notes/nss_tech_note5/index.rst | 659 ++ .../legacy/nss_tech_notes/nss_tech_note6/index.rst | 104 + .../legacy/nss_tech_notes/nss_tech_note7/index.rst | 189 + .../legacy/nss_tech_notes/nss_tech_note8/index.rst | 130 + .../doc/rst/legacy/nss_third-party_code/index.rst | 45 + .../doc/rst/legacy/nss_tools_sslstrength/index.rst | 81 + security/nss/doc/rst/legacy/overview/index.rst | 167 + security/nss/doc/rst/legacy/pkcs11/faq/index.rst | 390 + security/nss/doc/rst/legacy/pkcs11/index.rst | 14 + .../legacy/pkcs11/module_installation/index.rst | 56 + .../doc/rst/legacy/pkcs11/module_specs/index.rst | 365 + .../nss/doc/rst/legacy/pkcs11_functions/index.rst | 554 + .../nss/doc/rst/legacy/pkcs11_implement/index.rst | 477 + .../nss/doc/rst/legacy/pkcs_12_functions/index.rst | 37 + .../nss/doc/rst/legacy/pkcs_7_functions/index.rst | 55 + .../rst/legacy/python_binding_for_nss/index.rst | 1795 +++ .../build_instructions/index.rst | 152 + .../building_and_installing_nss/index.rst | 12 + .../installation_guide/index.rst | 50 + .../migration_to_hg/index.rst | 49 + .../sample_manual_installation/index.rst | 27 + .../legacy/reference/fc_cancelfunction/index.rst | 61 + .../legacy/reference/fc_closeallsessions/index.rst | 66 + .../rst/legacy/reference/fc_closesession/index.rst | 60 + .../rst/legacy/reference/fc_copyobject/index.rst | 74 + .../rst/legacy/reference/fc_createobject/index.rst | 70 + .../doc/rst/legacy/reference/fc_decrypt/index.rst | 73 + .../reference/fc_decryptdigestupdate/index.rst | 76 + .../rst/legacy/reference/fc_decryptfinal/index.rst | 67 + .../rst/legacy/reference/fc_decryptinit/index.rst | 66 + .../legacy/reference/fc_decryptupdate/index.rst | 74 + .../reference/fc_decryptverifyupdate/index.rst | 76 + .../rst/legacy/reference/fc_derivekey/index.rst | 77 + .../legacy/reference/fc_destroyobject/index.rst | 64 + .../doc/rst/legacy/reference/fc_digest/index.rst | 74 + .../reference/fc_digestencryptupdate/index.rst | 76 + .../rst/legacy/reference/fc_digestfinal/index.rst | 69 + .../rst/legacy/reference/fc_digestinit/index.rst | 63 + .../rst/legacy/reference/fc_digestkey/index.rst | 66 + .../rst/legacy/reference/fc_digestupdate/index.rst | 70 + .../doc/rst/legacy/reference/fc_encrypt/index.rst | 73 + .../rst/legacy/reference/fc_encryptfinal/index.rst | 68 + .../rst/legacy/reference/fc_encryptinit/index.rst | 71 + .../legacy/reference/fc_encryptupdate/index.rst | 74 + .../doc/rst/legacy/reference/fc_finalize/index.rst | 88 + .../rst/legacy/reference/fc_findobjects/index.rst | 70 + .../legacy/reference/fc_findobjectsfinal/index.rst | 59 + .../legacy/reference/fc_findobjectsinit/index.rst | 70 + .../rst/legacy/reference/fc_generatekey/index.rst | 73 + .../legacy/reference/fc_generatekeypair/index.rst | 83 + .../legacy/reference/fc_generaterandom/index.rst | 67 + .../reference/fc_getattributevalue/index.rst | 70 + .../legacy/reference/fc_getfunctionlist/index.rst | 79 + .../reference/fc_getfunctionstatus/index.rst | 60 + .../doc/rst/legacy/reference/fc_getinfo/index.rst | 110 + .../legacy/reference/fc_getmechanisminfo/index.rst | 72 + .../legacy/reference/fc_getmechanismlist/index.rst | 70 + .../legacy/reference/fc_getobjectsize/index.rst | 67 + .../reference/fc_getoperationstate/index.rst | 69 + .../legacy/reference/fc_getsessioninfo/index.rst | 76 + .../rst/legacy/reference/fc_getslotinfo/index.rst | 71 + .../rst/legacy/reference/fc_getslotlist/index.rst | 69 + .../rst/legacy/reference/fc_gettokeninfo/index.rst | 106 + .../rst/legacy/reference/fc_initialize/index.rst | 131 + .../doc/rst/legacy/reference/fc_initpin/index.rst | 78 + .../rst/legacy/reference/fc_inittoken/index.rst | 110 + .../doc/rst/legacy/reference/fc_login/index.rst | 88 + .../doc/rst/legacy/reference/fc_logout/index.rst | 58 + .../rst/legacy/reference/fc_opensession/index.rst | 78 + .../rst/legacy/reference/fc_seedrandom/index.rst | 70 + .../reference/fc_setattributevalue/index.rst | 70 + .../reference/fc_setoperationstate/index.rst | 76 + .../doc/rst/legacy/reference/fc_setpin/index.rst | 75 + .../nss/doc/rst/legacy/reference/fc_sign/index.rst | 74 + .../reference/fc_signencryptupdate/index.rst | 75 + .../rst/legacy/reference/fc_signfinal/index.rst | 68 + .../doc/rst/legacy/reference/fc_signinit/index.rst | 68 + .../rst/legacy/reference/fc_signrecover/index.rst | 75 + .../legacy/reference/fc_signrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_signupdate/index.rst | 69 + .../rst/legacy/reference/fc_unwrapkey/index.rst | 83 + .../doc/rst/legacy/reference/fc_verify/index.rst | 75 + .../rst/legacy/reference/fc_verifyfinal/index.rst | 67 + .../rst/legacy/reference/fc_verifyinit/index.rst | 67 + .../legacy/reference/fc_verifyrecover/index.rst | 75 + .../reference/fc_verifyrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_verifyupdate/index.rst | 70 + .../legacy/reference/fc_waitforslotevent/index.rst | 61 + .../doc/rst/legacy/reference/fc_wrapkey/index.rst | 77 + security/nss/doc/rst/legacy/reference/index.rst | 340 + .../rst/legacy/reference/nsc_inittoken/index.rst | 113 + .../doc/rst/legacy/reference/nsc_login/index.rst | 88 + .../rst/legacy/reference/nspr_functions/index.rst | 126 + .../reference/nss_certificate_functions/index.rst | 609 + .../fips_mode_of_operation/index.rst | 190 + .../reference/nss_cryptographic_module/index.rst | 29 + .../reference/nss_environment_variables/index.rst | 515 + .../rst/legacy/reference/nss_functions/index.rst | 105 + .../rst/legacy/reference/nss_initialize/index.rst | 113 + .../legacy/reference/nss_key_functions/index.rst | 60 + .../doc/rst/legacy/reference/nss_tools/index.rst | 26 + .../reference/nss_tools__colon__certutil/index.rst | 845 ++ .../reference/nss_tools__colon__cmsutil/index.rst | 192 + .../reference/nss_tools__colon__crlutil/index.rst | 379 + .../reference/nss_tools__colon__modutil/index.rst | 901 ++ .../reference/nss_tools__colon__pk12util/index.rst | 442 + .../reference/nss_tools__colon__ssltab/index.rst | 573 + .../reference/nss_tools__colon__ssltap/index.rst | 573 + .../reference/nss_tools__colon__vfychain/index.rst | 132 + .../reference/nss_tools__colon__vfyserv/index.rst | 50 + .../rst/legacy/reference/troubleshoot/index.rst | 78 + .../nss/doc/rst/legacy/release_notes/index.rst | 138 + .../nss/doc/rst/legacy/s_mime_functions/index.rst | 111 + .../doc/rst/legacy/ssl_functions/gtstd/index.rst | 264 + .../nss/doc/rst/legacy/ssl_functions/index.rst | 83 + .../ssl_functions/old_ssl_reference/index.rst | 269 + .../doc/rst/legacy/ssl_functions/pkfnc/index.rst | 439 + .../doc/rst/legacy/ssl_functions/sslcrt/index.rst | 632 + .../doc/rst/legacy/ssl_functions/sslerr/index.rst | 1434 +++ .../doc/rst/legacy/ssl_functions/sslfnc/index.rst | 3595 ++++++ .../rst/legacy/ssl_functions/sslintro/index.rst | 291 + .../doc/rst/legacy/ssl_functions/sslkey/index.rst | 107 + .../doc/rst/legacy/ssl_functions/ssltyp/index.rst | 343 + .../legacy/tls_cipher_suite_discovery/index.rst | 114 + .../nss/doc/rst/legacy/tools/certutil/index.rst | 702 ++ .../nss/doc/rst/legacy/tools/cmsutil/index.rst | 111 + .../nss/doc/rst/legacy/tools/crlutil/index.rst | 229 + security/nss/doc/rst/legacy/tools/index.rst | 125 + .../nss/doc/rst/legacy/tools/modutil/index.rst | 640 + .../tools/nss_tools_certutil-tasks/index.rst | 32 + .../rst/legacy/tools/nss_tools_certutil/index.rst | 666 ++ .../rst/legacy/tools/nss_tools_cmsutil/index.rst | 119 + .../rst/legacy/tools/nss_tools_crlutil/index.rst | 441 + .../legacy/tools/nss_tools_dbck-tasks/index.rst | 28 + .../legacy/tools/nss_tools_modutil-tasks/index.rst | 24 + .../rst/legacy/tools/nss_tools_modutil/index.rst | 912 ++ .../tools/nss_tools_pk12util-tasks/index.rst | 23 + .../rst/legacy/tools/nss_tools_pk12util/index.rst | 217 + .../legacy/tools/nss_tools_signver-tasks/index.rst | 22 + .../legacy/tools/nss_tools_sslstrength/index.rst | 87 + .../rst/legacy/tools/nss_tools_ssltap/index.rst | 621 + .../nss/doc/rst/legacy/tools/pk12util/index.rst | 282 + .../nss/doc/rst/legacy/tools/signtool/index.rst | 547 + .../nss/doc/rst/legacy/tools/signver/index.rst | 118 + security/nss/doc/rst/legacy/tools/ssltap/index.rst | 495 + .../nss/doc/rst/legacy/tools/vfychain/index.rst | 92 + .../nss/doc/rst/legacy/tools/vfyserv/index.rst | 8 + .../nss/doc/rst/legacy/troubleshooting/index.rst | 11 + .../nss/doc/rst/legacy/utility_functions/index.rst | 427 + 374 files changed, 89286 insertions(+) create mode 100644 security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst create mode 100644 security/nss/doc/rst/legacy/blank_function/index.rst create mode 100644 security/nss/doc/rst/legacy/building/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_download_specification/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/certverify_log/index.rst create mode 100644 security/nss/doc/rst/legacy/code_coverage/index.rst create mode 100644 security/nss/doc/rst/legacy/cryptography_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation_clone/index.rst create mode 100644 security/nss/doc/rst/legacy/index.rst create mode 100644 security/nss/doc/rst/legacy/index/index.rst create mode 100644 security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_faq/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/using_jss/index.rst create mode 100644 security/nss/doc/rst/legacy/key_log_format/index.rst create mode 100644 security/nss/doc/rst/legacy/memory_allocation/index.rst create mode 100644 security/nss/doc/rst/legacy/modutil-tasks.html/index.rst create mode 100644 security/nss/doc/rst/legacy/more_docs.rst create mode 100644 security/nss/doc/rst/legacy/new_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst create mode 100644 security/nss/doc/rst/legacy/nroff/certutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/cmsutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/crlutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/derdump.1 create mode 100644 security/nss/doc/rst/legacy/nroff/modutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pk12util.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pp.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signtool.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signver.1 create mode 100644 security/nss/doc/rst/legacy/nroff/ssltap.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfychain.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfyserv.1 create mode 100644 security/nss/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.37.3release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_api_guidelines/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_config_options/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_developer_tutorial/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_release_notes_template/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_output_plblic_key_as_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_using_key_wrap_certreq_pkcs10_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1_-_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample3_-_encdecmac_using_token_object/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sources_building_testing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note7/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note8/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_third-party_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/overview/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_specs/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_implement/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_12_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_7_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/python_binding_for_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closesession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_createobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digest/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_finalize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_logout/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_opensession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_sign/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verify/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nspr_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/troubleshoot/index.rst create mode 100644 security/nss/doc/rst/legacy/release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/s_mime_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/gtstd/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/pkfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslcrt/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslerr/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslintro/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslkey/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/ssltyp/index.rst create mode 100644 security/nss/doc/rst/legacy/tls_cipher_suite_discovery/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_dbck-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_signver-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signtool/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signver/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/troubleshooting/index.rst create mode 100644 security/nss/doc/rst/legacy/utility_functions/index.rst (limited to 'security/nss/doc/rst/legacy') diff --git a/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst new file mode 100644 index 0000000000..7d705198a8 --- /dev/null +++ b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst @@ -0,0 +1,302 @@ +.. _mozilla_projects_nss_an_overview_of_nss_internals: + +An overview of NSS Internals +============================ + +.. container:: + + | A High-Level Overview to the Internals of `Network Security Services + (NSS) `__ + | Software developed by the Mozilla.org projects traditionally used its own implementation of + security protocols and cryptographic algorithms, originally called Netscape Security Services, + nowadays called Network Security Services (NSS). NSS is a library written in the C programming + language. It's free and open source software, and many other software projects have decided to + use it. In order to support multiple operating systems (OS), it is based on a cross platform + portability layer, called the Netscape Portable Runtime (NSPR), which provides cross platform + application programming interfaces (APIs) for OS specific APIs like file system access, memory + management, network communication, and multithreaded programming. + | NSS offers lots of functionality; we'll walk through the list of modules, design principles, + and important relevant standards. + | In order to allow interoperability between software and devices that perform cryptographic + operations, NSS conforms to a standard called PKCS#11. (Note that it's important to look at the + number 11, as there are other PKCS standards with different numbers that define quite different + topics.) + | A software or hardware module conforming to the PKCS#11 standard implements an interface of C + calls, which allow querying the characteristics and offered services of the module. Multiple + elements of NSS's own modules have been implemented with this interface, and NSS makes use of + this interface when talking to those modules. This strategy allows NSS to work with many + hardware devices (e.g., to speed up the calculations required for cryptographic operations, or + to access smartcards that securely protect a secret key) and software modules (e.g., to allow + to load such modules as a plugin that provides additional algorithms or stores key or trust + information) that implement the PKCS#11 interface. + | A core element of NSS is FreeBL, a base library providing hash functions, big number + calculations, and cryptographic algorithms. + | Softoken is an NSS module that exposes most FreeBL functionality as a PKCS#11 module. + | Some cryptography uses the same secret key for both encrypting and decrypting, for example + password based encryption (PBE). This is often sufficient if you encrypt data for yourself, but + as soon as you need to exchange signed/encrypted data with communication partners, using public + key encryption simplifies the key management. The environment that describes how to use public + key encryption is called Public Key Infrastructure (PKI). The public keys that are exchanged + between parties are transported using a container; the container is called a certificate, + following standard X.509 version 3. A certificate contains lots of other details; for example, + it contains a signature by a third party that expresses trust in the ownership relationship for + the certificate. The trust assigned by the third party might be restricted to certain uses, + which are listed in certificate extensions that are contained in the certificate. + | Many (if not most) of the operations performed by NSS involve the use of X.509 certificates + (often abbreviated as “cert”, unfortunately making it easy to confuse with the term “computer + emergency response team“). + | When checking whether a certificate is trusted or not, it's necessary to find a relevant trust + anchor (root certificate) that represents the signing capability of a trusted third party, + usually called a Certificate Authority (CA). A trust anchor is just another X.509 certificate + that is already known and has been deliberately marked as trusted by a software vendor, + administrators inside an organizational infrastructure, or the software user. NSS ships a + predefined set of CA certificates. This set, including their trust assignments, is provided by + NSS as a software module, called CKBI (“built-in root certificates”), which also implements the + PKCS#11 interface. On an organizational level the contents of the set are managed according to + the Mozilla CA policy. On a technical level the set is a binary software module. + | A cryptographic transaction, such as encryption or decryption related to a data exchange, + usually involves working with the X.509 certs of your communication partners (peer). It's also + required that you safely keep your own secret keys that belong to your own certificates. You + might want to protect the storage of your secret keys with PBE. You might decide to modify the + default trust provided by NSS. All of this requires storing, looking up, and retrieving data. + NSS simplifies performing these operations by offering storage and management APIs. NSS doesn't + require the programmer to manage individual files containing individual certificates or keys. + Instead, NSS offers to use its own database(s). Once you have imported certificates and keys + into the NSS database, you can easily look them up and use them again. + | Because of NSS's expectation to operate with an NSS database, it's mandatory that you perform + an initialization call, where you tell NSS which database you will be using. In the most simple + scenario, the programmer will provide a directory on your filesystem as a parameter to the init + function, and NSS is designed to do the rest. It will detect and open an existing database, or + it can create a new one. Alternatively, should you decide that you don't want to work with any + persistent recording of certificates, you may initialize NSS in a no-database mode. Usually, + NSS will flush all data to disk as soon as new data has been added to permanent storage. + Storage consists of multiple files: a key database file, which contains your secret keys, and a + certificate database file which contains the public portion of your own certificates, the + certificates of peers or CAs, and a list of trust decisions (such as to not trust a built-in + CA, or to explicitly trust other CAs). Examples for the database files are key3.db and + cert8.db, where the numbers are file version numbers. A third file contains the list of + external PKCS#11 modules that have been registered to be used by NSS. The file could be named + secmod.db, but in newer database generations a file named pkcs11.txt is used. + | Only NSS is allowed to access and manipulate these database files directly; a programmer using + NSS must go through the APIs offered by NSS to manipulate the data stored in these files. The + programmer's task is to initialize NSS with the required parameters (such as a database), and + NSS will then transparently manage the database files. + | Most of the time certificates and keys are supposed to be stored in the NSS database. + Therefore, after initial import or creation, the programmer usually doesn't deal with their raw + bytes. Instead, the programmer will use lookup functions, and NSS will provide an access handle + that will be subsequently used by the application's code. Those handles are reference counted. + NSS will usually create an in-memory (RAM) presentation of certificates, once a certificate has + been received from the network, read from disk, or looked up from the database, and prepare + in-memory data structures that contain the certificate's properties, as well as providing a + handle for the programmer to use. Once the application is done with a handle, it should be + released, allowing NSS to free the associated resources. When working with handles to private + keys it's usually difficult (and undesired) that an application gets access to the raw key + data; therefore it may be difficult to extract such data from NSS. The usual minimum + requirement is that private keys must be wrapped using a protective layer (such as + password-based encryption). The intention is to make it easier to review code for security. The + less code that has access to raw secret keys, the less code that must be reviewed. + | NSS has only limited functionality to look up raw keys. The preferred approach is to use + certificates, and to look up certificates by properties such as the contained subject name + (information that describes the owner of the certificate). For example, while NSS supports + random calculation (creation) of a new public/private key pair, it's difficult to work with + such a raw key pair. The usual approach is to create a certificate signing request (CSR) as + soon as an application is done with the creation step, which will have created a handle to the + key pair, and which can be used for the necessary related operations, like producing a + proof-of-ownership of the private key, which is usually required when submitting the public key + with a CSR to a CA. The usual follow up action is receiving a signed certificate from a CA. + (However, it's also possible to use NSS functionality to create a self-signed certificate, + which, however, usually won't be trusted by other parties.) Once received, it's sufficient to + tell NSS to import such a new certificate into the NSS database, and NSS will automatically + perform a lookup of the embedded public key, be able to find the associated private key, and + subsequently be able to treat it as a personal certificate. (A personal certificate is a + certificate for which the private key is in possession, and which could be used for signing + data or for decrypting data.) A unique nickname can/should be assigned to the certificate at + the time of import, which can later be used to easily identify and retrieve it. + | It's important to note that NSS requires strict cleanup for all handles returned by NSS. The + application should always call the appropriate dereference (destroy) functions once a handle is + no longer needed. This is particularly important for applications that might need to close a + database and reinitialize NSS using a different one, without restarting. Such an operation + might fail at runtime if data elements are still being referenced. + | In addition to the FreeBL, Softoken, and CKBI modules, there is an utility library for general + operations (e.g., encoding/decoding between data formats, a list of standardized object + identifiers (OID)). NSS has an SSL/TLS module that implements the Secure Sockets + Layer/Transport Layer Security network protocols, an S/MIME module that implements CMS + messaging used by secure email and some instant messaging implementations, a DBM library that + implements the classic database storage, and finally a core NSS library for the big set of + “everything else”. Newer generations of the database use the SQLite database to allow + concurrent access by multiple applications. + | All of the above are provided as shared libraries. The CRMF library, which is used to produce + certain kinds of certificate requests, is available as a library for static linking only. + | When dealing with certificates (X.509), file formats such as PKCS#12 (certificates and keys), + PKCS#7 (signed data), and message formats as CMS, we should mention ASN.1, which is a syntax + for storing structured data in a very efficient (small sized) presentation. It was originally + developed for telecommunication systems at times where it was critical to minimize data as much + as possible (although it still makes sense to use that principle today for good performance). + In order to process data available in the ASN.1 format, the usual approach is to parse it and + transfer it to a presentation that requires more space but is easier to work with, such as + (nested) C data structures. Over the time NSS has received three different ASN.1 parser + implementations, each having their own specific properties, advantages and disadvantages, which + is why all of them are still being used (nobody has yet dared to replace the older with the + newer ones because of risks for side effects). When using the ASN.1 parser(s), a template + definition is passed to the parser, which will analyze the ASN.1 data stream accordingly. The + templates are usually closely aligned to definitions found in RFC documents. + | A data block described as DER is usually in ASN.1 format. You must know which data you are + expecting, and use the correct template for parsing, based on the context of your software's + interaction. Data described as PEM is a base64 encoded presentation of DER, usually wrapped + between human readable BEGIN/END lines. NSS prefers the binary presentation, but is often + capable to use base64 or ASCII presentations, especially when importing data from files. A + recent development adds support for loading external PEM files that contain private keys, in a + software library called nss-pem, which is separately available, but should eventually become a + core part of NSS. + | Looking at the code level, NSS deals with blocks of raw data all the time. The common structure + to store such an untyped block is SECItem, which contains a size and an untyped C pointer + variable. + | When dealing with memory, NSS makes use of arenas, which are an attempt to simplify management + with the limited offerings of C (because there are no destructors). The idea is to group + multiple memory allocations in order to simplify cleanup. Performing an operation often + involves allocating many individual data items, and the code might be required to abort a task + at many positions in the logic. An arena is requested once processing of a task starts, and all + memory allocations that are logically associated to that task are requested from the associated + arena. The implementation of arenas makes sure that all individual memory blocks are tracked. + Once a task is done, regardless whether it completed or was aborted, the programmer simply + needs to release the arena, and all individually allocated blocks will be released + automatically. Often freeing is combined with immediately erasing (zeroing, zfree) the memory + associated to the arena, in order to make it more difficult for attackers to extract keys from + a memory dump. + | NSS uses many C data structures. Often NSS has multiple implementations for the same or similar + concepts. For example, there are multiple presentations of certificates, and the NSS internals + (and sometimes even the application using NSS) might have to convert between them. + | Key responsibilites of NSS are verification of signatures and certificates. In order to verify + a digital signature, we have to look at the application data (e.g., a document that was + signed), the signature data block (the digital signature), and a public key (as found in a + certificate that is believed to be the signer, e.g., identified by metadata received together + with the signature). The signature is verified if it can be shown that the signature data block + must have been produced by the owner of the public key (because only that owner has the + associated private key). + | Verifying a certificate (A) requires some additional steps. First, you must identify the + potential signer (B) of a certificate (A). This is done by reading the “issuer name” attribute + of a certificate (A), and trying to find that issuer certificate (B) (by looking for a + certificate that uses that name as its “subject name”). Then you attempt to verify the + signature found in (A) using the public key found in (B). It might be necessary to try multiple + certificates (B1, B2, ...) each having the same subject name. + | After succeeding, it might be necessary to repeat this procedure recursively. The goal is to + eventually find a certificate B (or C or ...) that has an appropriate trust assigned (e.g., + because it can be found in the CKBI module and the user hasn't made any overriding trust + decisions, or it can be found in a NSS database file managed by the user or by the local + environment). + | After having successfully verified the signatures in a (chain of) issuer certificate(s), we're + still not done with verifying the certificate A. In a PKI it's suggested/required to perform + additional checks. For example: Certificates were valid at the time the signature was made, + name in certificates matches the expected signer (check subject name, common name, email, based + on application), the trust restrictions recorded inside the certificate (extensions) permit the + use (e.g., encryption might be allowed, but not signing), and based on environment/application + policy it might be required to perform a revocation check (OCSP or CRL), that asks the + issuer(s) of the certificates whether there have been events that made it necessary to revoke + the trust (revoke the validity of the cert). + | Trust anchors contained in the CKBI module are usually self signed, which is defined as having + identical subject name and issuer name fields. If a self-signed certificate is marked as + explicitly trusted, NSS will skip checking the self-signature for validity. + | NSS has multiple APIs to perform verification of certificates. There is a classic engine that + is very stable and works fine in all simple scenarios, for example if all (B) candidate issuer + certificates have the same subject and issuer names and differ by validity period; however, it + works only in a limited amount of more advanced scenarios. Unfortunately, the world of + certificates has become more complex in the recent past. New Certificate Authorities enter the + global PKI market, and in order to get started with their business, they might make deals with + established CAs and receive so-called cross-signing-certificates. As a result, when searching + for a trust path from (A) to a trusted anchor (root) certificate (Z), the set of candidate + issuer certificates might have different issuer names (referring to the second or higher issuer + level). As a consequence, it will be necessary to try multiple different alternative routes + while searching for (Z), in a recursive manner. Only the newer verification engine (internally + named libPKIX) is capable of doing that properly. + | It's worth mentioning the Extended Validation (EV) principle, which is an effort by software + vendors and CAs to define a stricter set of rules for issuing certificates for web site + certificates. Instead of simply verifying that the requester of a certificate is in control of + an administrative email address at the desired web site's domain, it's required that the CA + performs a verification of real world identity documents (such as a company registration + document with the country's authority), and it's also required that a browser software performs + a revocation check with the CA, prior to granting validity to the certificate. In order to + distinguish an EV certificate, CAs will embed a policy OID in the certificate, and the browser + is expected to verify that a trust chain permits the end entity (EE) certificate to make use of + the policy. Only the APIs of the newer libPKIX engine are capable of performing a policy + verification. + | That's a good opportunity to talk about SSL/TLS connections to servers in general (not just EV, + not just websites). Whenever this document mentions SSL, it refers to either SSL or TLS. (TLS + is a newer version of SSL with enhanced features.) + | When establishing an SSL connection to a server, (at least) a server certificate (and its trust + chain) is exchanged from the server to the client (e.g., the browser), and the client verifies + that the certificate can be verified (including matching the name of the expected destination + server). Another part of the handshake between both parties is a key exchange. Because public + key encryption is more expensive (more calculations required) than symmetric encryption (where + both parties use the same key), a key agreement protocol will be executed, where the public and + private keys are used to proof and verify the exchanged initial information. Once the key + agreement is done, a symmetric encryption will be used (until a potential re-handshake on an + existing channel). The combination of the hash and encryption algorithms used for a SSL + connection is called a cipher suite. + | NSS ships with a set of cipher suites that it supports at a technical level. In addition, NSS + ships with a default policy that defines which cipher suites are enabled by default. An + application is able to modify the policy used at program runtime, by using function calls to + modify the set of enabled cipher suites. + | If a programmer wants to influence how NSS verifies certificates or how NSS verifies the data + presented in a SSL connection handshake, it is possible to register application-defined + callback functions which will be called by NSS at the appropriate point of time, and which can + be used to override the decisions made by NSS. + | If you would like to use NSS as a toolkit that implements SSL, remember that you must init NSS + first. But if you don't care about modifying the default trust permanently (recorded on disk), + you can use the no-database init calls. When creating the network socket for data exchange, + note that you must use the operating system independent APIs provided by NSPR and NSS. It might + be interesting to mention a property of the NSPR file descriptors, which are stacked in layers. + This means you can define multiple layers that are involved in data processing. A file + descriptor has a pointer to the first layer handling the data. That layer has a pointer to a + potential second layer, which might have another pointer to a third layer, etc. Each layer + defines its own functions for the open/close/read/write/poll/select (etc.) functions. When + using an SSL network connection, you'll already have two layers, the basic NSPR layer and an + SSL library layer. The Mozilla applications define a third layer where application specific + processing is performed. You can find more details in the NSPR reference documents. + | NSS occassionally has to create outbound network connections, in addition to the connections + requested by the application. Examples are retrieving OCSP (Online Certificate Status Protocol) + information or downloading a CRL (Certificate Revocation List). However, NSS doesn't have an + implementation to work with network proxies. If you must support proxies in your application, + you are able to register your own implementation of an http request callback interface, and NSS + can use your application code that supports proxies. + | When using hashing, encryption, and decryption functions, it is possible to stream data (as + opposed to operating on a large buffer). Create a context handle while providing all the + parameters required for the operation, then call an “update” function multiple times to pass + subsets of the input to NSS. The data will be processed and either returned directly or sent to + a callback function registered in the context. When done, you call a finalization function that + will flush out any pending data and free the resources. + | This line is a placeholder for future sections that should explain how libpkix works and is + designed. + | If you want to work with NSS, it's often helpful to use the command line utilities that are + provided by the NSS developers. There are tools for managing NSS databases, for dumping or + verifying certificates, for registering PKCS#11 modules with a database, for processing CMS + encrypted/signed messages, etc. + | For example, if you wanted to create your own pair of keys and request a new certificate from a + CA, you could use certutil to create an empty database, then use certutil to operate on your + database and create a certificate request (which involves creating the desired key pair) and + export it to a file, submit the request file to the CA, receive the file from the CA, and + import the certificate into your database. You should assign a good nickname to a certificate + when importing it, making it easier for you to refer to it later. + | It should be noted that the first database format that can be accessed simultaneously by + multiple applications is key4.db/cert9.db – database files with lower numbers will most likely + experience unrecoverable corruption if you access them with multiple applications at the same + time. In other words, if your browser or your server operates on an older NSS database format, + don't use the NSS tools to operate on it while the other software is executing. At the time of + writing NSS and the Mozilla applications still use the older database file format by default, + where each application has its own NSS database. + | If you require a copy of a certificate stored in an NSS database, including its private key, + you can use pk12util to export it to the PKCS#12 file format. If you require it in PEM format, + you could use the openssl pkcs12 command (that's not NSS) to convert the PKCS#12 file to PEM. + | This line is a placeholder for how to prepare a database, how to dump a cert, and how to + convert data. + | You might have been motivated to work with NSS because it is used by the Mozilla applications + such as Firefox, Thunderbird, etc. If you build the Mozilla application, it will automatically + build the NSS library, too. However, if you want to work with the NSS command line tools, you + will have to follow the standalone NSS build instructions, and build NSS outside of the Mozilla + application sources. + | The key database file will contain at least one symmetric key, which NSS will automatically + create on demand, and which will be used to protect your secret (private) keys. The symmetric + key can be protected with PBE by setting a master password on the database. As soon as you set + a master password, an attacker stealing your key database will no longer be able to get access + to your private key, unless the attacker would also succeed in stealing the master password. + | Now you might be interest in how to get the + :ref:`mozilla_projects_nss_nss_sources_building_testing` \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/blank_function/index.rst b/security/nss/doc/rst/legacy/blank_function/index.rst new file mode 100644 index 0000000000..5541bf1a69 --- /dev/null +++ b/security/nss/doc/rst/legacy/blank_function/index.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_blank_function: + +Function_Name +============= + +.. container:: + + One-line description of what the function does (more than just what it returns). + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + ReturnType Function_Name( + + ParamType ParamName, + ParamType ParamName, ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to an `SECItem `__ whose ``type`` must | + | | be ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +---------------+---------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Long description of this function, what it does, and why you would use it. Describe all + side-effects on "out" parameters. Avoid describing the return until the next section, for + example: + + This function looks in the NSSCryptoContext and the NSSTrustDomain to find the certificate that + matches the DER-encoded certificate. A match is found when the issuer and serial number of the + DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Full description of the return value, for example: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Copy of the MXR link, with the following text + + Occurrences of ``Function_Name`` in the current NSS source code (generated by MXR). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/building/index.rst b/security/nss/doc/rst/legacy/building/index.rst new file mode 100644 index 0000000000..aee480c4de --- /dev/null +++ b/security/nss/doc/rst/legacy/building/index.rst @@ -0,0 +1,159 @@ +.. _mozilla_projects_nss_building_ported: + +Building NSS +============ + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + This page has detailed information on how to build NSS. Because NSS is a cross-platform library + that builds on many different platforms and has many options, it may be complex to build. Please + read these instructions carefully before attempting to build. + +.. _build_environment: + +`Build environment <#build_environment>`__ +------------------------------------------ + +.. container:: + + NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ + libraries, plus `zlib `__. + + For building, you also need `make `__. Ideally, also install + `gyp `__ and `ninja `__ and put them on your + path. This is recommended, as the build is faster and more reliable. + +`Windows <#windows>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS compilation on Windows uses the same shared build system as Mozilla Firefox. You must first + install the `Windows + Prerequisites `__, + including **MozillaBuild**. + + You can also build NSS on the Windows Subsystem for Linux, but the resulting binaries aren't + usable by other Windows applications. + +.. _get_the_source: + +`Get the source <#get_the_source>`__ +------------------------------------ + +.. container:: + + NSS and NSPR use Mercurial for source control like other Mozilla projects. To check out the + latest sources for NSS and NSPR--which may not be part of a stable release--use the following + commands: + + .. code:: + + hg clone https://hg.mozilla.org/projects/nspr + hg clone https://hg.mozilla.org/projects/nss + + To get the source of a specific release, see :ref:`mozilla_projects_nss_nss_releases`. + +`Build <#build>`__ +------------------ + +.. container:: + + Build NSS using our build script: + + .. code:: + + nss/build.sh + + This builds both NSPR and NSS. + +.. _build_with_make: + +`Build with make <#build_with_make>`__ +-------------------------------------- + +.. container:: + + Alternatively, there is a ``make`` target called "nss_build_all", which produces a similar + result. This supports some alternative options, but can be a lot slower. + + .. code:: + + make -C nss nss_build_all USE_64=1 + + The make-based build system for NSS uses a variety of variables to control the build. Below are + some of the variables, along with possible values they may be set to. + + BUILD_OPT + 0 + Build a debug (non-optimized) version of NSS. *This is the default.* + 1 + Build an optimized (non-debug) version of NSS. + + USE_64 + 0 + Build for a 32-bit environment/ABI. *This is the default.* + 1 + Build for a 64-bit environment/ABI. *This is recommended.* + + USE_ASAN + 0 + Do not create an `AddressSanitizer `__ + build. *This is the default.* + 1 + Create an AddressSanitizer build. + +.. _unit_testing: + +`Unit testing <#unit_testing>`__ +-------------------------------- + +.. container:: + + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + Run the standard suite by: + + .. code:: + + HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh + +.. _unit_test_configuration: + +`Unit test configuration <#unit_test_configuration>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + | NSS tests are configured using environment variables. + | The scripts will attempt to infer values for ``HOST`` and ``DOMSUF``, but can fail. Replace + ``localhost`` and ``localdomain`` with the hostname and domain suffix for your host. You need + to be able to connect to ``$HOST.$DOMSUF``. + + If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on + Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows: + + .. code:: + + 127.0.0.1 localhost.localdomain + + Validate this opening a command shell and typing: ``ping localhost.localdomain``. + + Remove the ``USE_64=1`` override if using a 32-bit build. + +.. _test_results: + +`Test results <#test_results>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Running all tests can take a considerable amount of time. + + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` + summarizes the results, ``output.log`` captures all the test output. + + Other subdirectories of ``nss/tests`` contain scripts that run a subset of the full suite. Those + can be run directly instead of ``all.sh``, which might save some time at the cost of coverage. diff --git a/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst new file mode 100644 index 0000000000..7e297a2df5 --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst @@ -0,0 +1,64 @@ +.. _mozilla_projects_nss_cert_findcertbydercert: + +CERT_FindCertByDERCert +====================== + +.. container:: + + Find a certificate in the database that matches a DER-encoded certificate. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByDERCert( + + CERTCertDBHandle *handle, + SECItem *derCert ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-------------+-----------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ representing | + | | the certificate database to look in | + +-------------+-----------------------------------------------------------------------------------+ + | ``derCert`` | *in* pointer to an `SECItem `__ whose ``type`` must be | + | | ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +-------------+-----------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate + that matches the DER-encoded certificate. A match is found when the issuer and serial number of + the DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByDERCert`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst new file mode 100644 index 0000000000..933fff206c --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_cert_findcertbyissuerandsn: + +CERT_FindCertByIssuerAndSN +========================== + +.. container:: + + Find a certificate in the database with the given issuer and serial number. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByIssuerAndSN ( + + CERTCertDBHandle *handle, + CERTIssuerAndSN *issuerAndSN ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-----------------+-------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +-----------------+-------------------------------------------------------------------------------+ + | ``issuerAndSN`` | *in* pointer to a `CERTIssuerAndSN `__ that must | + | | be properly formed to contain the issuer name and the serial number (see | + | | [Example]) | + +-----------------+-------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function creates a certificate key using the ``issuerAndSN`` and it then uses the key to + find the matching certificate in the database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the issuer and serial number, or ``NULL`` if none was found. The + certificate is a shallow copy, use + `CERT_DestroyCertificate `__ to decrement the reference count + on the certificate instance. + +`Example <#example>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + CERTIssuerAndSN issuerSN; + issuerSN.derIssuer.data = caName->data; + issuerSN.derIssuer.len = caName->len; + issuerSN.serialNumber.data = authorityKeyID->authCertSerialNumber.data; + issuerSN.serialNumber.len = authorityKeyID->authCertSerialNumber.len; + issuerCert = CERT_FindCertByIssuerAndSN(cert->dbhandle, &issuerSN); + if ( issuerCert == NULL ) { + PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER); + } + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByIssuerAndSN`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_download_specification/index.rst b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst new file mode 100644 index 0000000000..5fe98aa6b9 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst @@ -0,0 +1,186 @@ +.. _mozilla_projects_nss_certificate_download_specification: + +NSS Certificate Download Specification +====================================== + +.. container:: + + This document describes the data formats used by NSS 3.x for installing certificates. This + document is currently being revised and has not yet been reviewed for accuracy. + +.. _data_formats: + +`Data Formats <#data_formats>`__ +-------------------------------- + +.. container:: + + NSS can accept certificates in several formats. In all cases the certificates are X509 version 1, + 2, or 3. + +.. _binary_formats: + +`Binary Formats <#binary_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS's certificate loader will recognize several binary formats. They are: + + - **DER encoded certificate:** This is a single binary DER encoded certificate. + - **PKCS#7 certificate chain:** This is a single + `PKCS#7 `__ ``SignedData`` object. The only + significant field in the ``SignedData`` object is the ``certificates`` field, which may + contain multiple certificates to be imported together. The contents of the ``version``, + ``digestAlgorithms``, ``contentInfo``, ``crls``, and ``signerInfos`` fields are ignored. + - **Netscape Certificate Sequence:** This is another + `PKCS#7 `__ object format, and like the + ``SignedData`` format, it allows multiple certificates to be imported together. This format is + simpler than the `PKCS#7 `__ ``SignedData`` + object format. It consists of a `PKCS#7 `__ + ``ContentInfo`` structure, wrapping a sequence of certificates. The ``contentType`` field OID + must be ``netscape-cert-sequence`` (see + :ref:`mozilla_projects_nss_certificate_download_specification#object_identifiers`). The + ``content`` field is the following ASN.1 structure: + + .. code:: + + CertificateSequence ::= SEQUENCE OF Certificate + + See the section below on + :ref:`mozilla_projects_nss_certificate_download_specification#importing_certificate_chains` for + more information about how multiple certificates are handled. + +.. _text_formats: + +`Text Formats <#text_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Any of the above :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` + can also be imported in text form. The text form begins with the following line: + + .. code:: + + -----BEGIN CERTIFICATE----- + + Following this line should be the certificate data, which can be in any of the + :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` described above. + This data must be base64 encoded as described by `RFC + 1113 `__. Following the data should be the + following line: + + .. code:: + + -----END CERTIFICATE----- + + In a text format download, NSS ignores any text before the first ``BEGIN CERTIFICATE`` line, and + ignores any text after the first ``END CERTIFICATE`` line. Between those two lines, there must be + exactly ONE item of any of the supported binary formats described above, and that one item must + be base64 encoded. Regardless of which of the supported binary formats is used, the ``BEGIN`` and + ``END`` lines must say ``CERTIFICATE``, and not any other word (such as ``KEY``). The ``BEGIN`` + and ``END`` lines must begin and end with 5 dashes, with no extra leading or trailing white space + (excluding the End Of Line characters). + +.. _importing_certificate_chains: + +`Importing Certificate Chains <#importing_certificate_chains>`__ +---------------------------------------------------------------- + +.. container:: + + Several of the formats described above can contain several certificates. When NSS's certificate + decoder encounters one of these collections of multiple certificates they are handled in the + following way: + + - The first certificate is processed in a context specific manner, depending upon how it is + being imported. For Mozilla browsers, this handling will depend upon the mime ``Content-Type`` + that is used on the object being downloaded. For NSS-based servers it will depend upon the + options selected in the server's administration interface. + + - Subsequent certificates are all treated the same. If the certificates contain a + ``BasicConstraints`` certificate extension that indicates they are CA certificates, and do not + already exist in the local certificate database, they are added as untrusted CAs. In this way + they may be used for certificate chain validation, as long as there is a trusted CA somewhere + along the chain. + +.. _importing_certificates_into_mozilla_browsers: + +`Importing Certificates into Mozilla browsers <#importing_certificates_into_mozilla_browsers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla browsers import certificates found in HTTP protocol responses. There are several mime + content types that are used to indicate to the browser what type of certificate is being + imported. These mime types are: + + - **``application/x-x509-user-cert``** The certificate being downloaded is a user certificate + belonging to the user operating the browser. If the private key associated with the + certificate does not exist in the user's local key database, then an error dialog is generated + and the certificate is not imported. If a certificate chain is being imported then the first + certificate in the chain must be the user certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-ca-cert``** The certificate being downloaded represents a Certificate + Authority. When it is downloaded the user will be shown a sequence of dialogs that will guide + them through the process of accepting the Certificate Authority and deciding if they wish to + trust sites certified by the CA. If a certificate chain is being imported then the first + certificate in the chain must be the CA certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-email-cert``** The certificate being downloaded is a user certificate + belonging to another user for use with S/MIME. If a certificate chain is being imported then + the first certificate in the chain must be the user certificate, and any subsequent + certificates will be added as untrusted CA certificates to the local database. This is + intended to allow people or CAs to post their e-mail certificates on web pages for download by + other users who want to send them encrypted mail. + + Note: the browser checks that the size of the object being downloaded matches the size of the + encoded certificates. Therefore it is important to ensure that no extra characters, such as NULLs + or LineFeeds are added at the end of the object. + +.. _importing_certificates_into_nss-based_servers: + +`Importing Certificates into NSS-based servers <#importing_certificates_into_nss-based_servers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Consult your server's administration guide for the most accurate information. For some NSS-base + servers, the following information is correct. + + Server certificates are imported via the server admin interface. Certificates are pasted into a + text input field in an HTML form, and then the form is submitted to the admin server. Since the + certificates are pasted into text fields, only the + :ref:`mozilla_projects_nss_certificate_download_specification#text_formats` described above are + supported for servers. The type of certificate being imported (e.g. server or CA or cert chain) + is specified by the server administrator by selections made on the admin pages. If a certificate + chain is being imported then the first certificate in the chain must be the server or CA + certificate, and any subsequent certificates will be added as untrusted CA certificates to the + local database. + +.. _object_identifiers: + +`Object Identifiers <#object_identifiers>`__ +-------------------------------------------- + +.. container:: + + The base of all Netscape object ids is: + + .. code:: + + netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 } + + The hexadecimal byte value of this OID when DER encoded is: + + .. code:: + + 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 + + The following OIDs are mentioned in this document: + + .. code:: + + netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } + netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_functions/index.rst b/security/nss/doc/rst/legacy/certificate_functions/index.rst new file mode 100644 index 0000000000..c1fc801c58 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_functions/index.rst @@ -0,0 +1,410 @@ +.. _mozilla_projects_nss_certificate_functions: + +Certificate functions +===================== + +.. container:: + + The public functions listed here are used to interact with certificate databases. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddCertToListTail`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOCSPAcceptableResponses`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOKDomainName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AsciiToName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ClearOCSPCache`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertChainFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertListFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertTimesValid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ChangeCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056662` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckNameSpace`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckCertUsage`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareValidityTimes`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompleteCRLDecodeEntries`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ConvertAndDecodeCertificate`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyRDN`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateAVA`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificate`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateName`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateSubjectCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CRLCacheRefreshIssuer`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAltNameExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthInfoAccessExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthKeyID`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAVAValue`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeBasicConstraintValue`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertFromPackage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.2 and later | + | RT_DecodeCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertPackage`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCRLDistributionPoints`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrlWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeNameConstraintsExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOCSPResponse`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOidSequence`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_DecodePrivKeyUsagePeriodExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeTrustString`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeUserNotice`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DerNameToAscii`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertArray`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050532` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CER | MXR | 3.2 and later | + | T_DestroyCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPResponse`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOidSequence`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyUserNotice`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1058344` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DupCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EnableOCSPChecking`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAltNameExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAndAddBitStrExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAuthKeyID`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeBasicConstraintValue`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCertPoliciesExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCRLDistributionPoints`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInfoAccessExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInhibitAnyExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeNoticeReference`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.12 and later | + | CERT_EncodePolicyConstraintsExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodePolicyMappingExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeSubjectKeyID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeUserNotice`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ExtractPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLEntryReasonExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLNumberExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindNameConstraintsExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByCANames`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListForUserCerts`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozil | MXR | 3.2 and later | + | la_projects_nss_cert_findcertbydercert` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_p | MXR | 3.2 and later | + | rojects_nss_cert_findcertbyissuerandsn` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNickname`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNicknameOrEmailAddr`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertBySubjectKeyID`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertIssuer`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindKeyUsageExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSubjectKeyIDExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertsByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.10 and later | + | RT_FinishCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FinishExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FormatName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FreeDistNames`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050349` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetAVATag`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertChainFromCert`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertEmailAddress`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertificateNames`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.10 and later | + | `CERT_GetCertificateRequestExtensions`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050346` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertUid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetClassicOCSPDisabledPolicy`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledHardFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledSoftFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCommonName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCountryName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDBContentVersion`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1052308` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDomainComponentName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetFirstEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetLocalityName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPResponseStatus`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPStatusForCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOidString`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgUnitName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.4 and later | + | RT_GetOCSPAuthorityInfoAccessLocation`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.12 and later | + | ERT_GetPKIXVerifyNistRevocationPolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSSLCACerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetStateName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetValidDNSPatternsFromCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GenTime2FormattedAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_Hexify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCAChain`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsRootDERCert`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsUserCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_KeyFromDERCrl`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MakeCANickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MergeExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NameToAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewTempCertificate`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NicknameStringsFromCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OpenCertDBFilename`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OCSPCacheSettings`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_PKIXVerifyCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RemoveCertListNode`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RFC1485_EscapeAndQuote`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SaveSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPFailureMode`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPTimeout`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCertExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_StartCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLEntryExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_UncacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050342` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCACertForUsage`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCert`` | MXR | 3.2 and later. If you need to verify | + | | | for multiple usages use | + | | | CERT_VerifyCertificate | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificate`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificateNow`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later. If you need to verify | + | jects_nss_ssl_functions_sslcrt#1058011` | | for multiple usages use | + | | | CERT_VerifyCertificateNow | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyOCSPResponseSignature`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedData`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedDataWithPublicKey`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.7 and later | + | ERT_VerifySignedDataWithPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056760` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056950` | | | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certverify_log/index.rst b/security/nss/doc/rst/legacy/certverify_log/index.rst new file mode 100644 index 0000000000..7c1288e0a4 --- /dev/null +++ b/security/nss/doc/rst/legacy/certverify_log/index.rst @@ -0,0 +1,55 @@ +.. _mozilla_projects_nss_certverify_log: + +NSS CERTVerify Log +================== + +`CERTVerifyLog <#certverifylog>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All the NSS verify functions except, the \*VerifyNow() functions, take a parameter called + 'CERTVerifyLog'. If you supply the log parameter, NSS will continue chain validation after each + error . The log tells you what the problem was with the chain and what certificate in the chain + failed. + + To create a log: + + .. code:: + + #include "secport.h" + #include "certt.h" + + CERTVerifyLog *log; + + arena = PORT_NewArena(512); + log = PORT_ArenaZNew(arena,log); + log->arena = arena; + + You can then pass this log into your favorite cert verify function. On return: + + - log->count is the number of entries. + - log->head is the first entry; + - log->tail is the last entry. + + Each entry is a CERTVerifyLogNode. Defined in certt.h: + + .. code:: + + /* + * This structure is used to keep a log of errors when verifying + * a cert chain. This allows multiple errors to be reported all at + * once. + */ + struct CERTVerifyLogNodeStr { + CERTCertificate *cert; /* what cert had the error */ + long error; /* what error was it? */ + unsigned int depth; /* how far up the chain are we */ + void *arg; /* error specific argument */ + struct CERTVerifyLogNodeStr *next; /* next in the list */ + struct CERTVerifyLogNodeStr *prev; /* next in the list */ + }; + + The list is a doubly linked NULL terminated list sorted from low to high based on depth into the + cert chain. When you are through, you will need to walk the list and free all the cert entries, + then free the arena. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/code_coverage/index.rst b/security/nss/doc/rst/legacy/code_coverage/index.rst new file mode 100644 index 0000000000..1bafb3f6c1 --- /dev/null +++ b/security/nss/doc/rst/legacy/code_coverage/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_code_coverage: + +NSS Code Coverage +================= + +.. _nss_-_code_coverage: + +`NSS - Code Coverage <#nss_-_code_coverage>`__ +---------------------------------------------- + +.. _results_link: + +`Results link <#results_link>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `2007-08-14 - Solaris/Sparc + platform `__ + +.. _results_explanation: + +`Results explanation <#results_explanation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Files + :name: files + + - Results from every C file are on new line. + - If file was tested, link points to annotated source file (in TCOV directory), otherwise to + original source file (CVS directory). + + .. rubric:: Colors + :name: colors + + - Green: 70-100% of blocks tested. + - Yellow: 40-70% of blocks tested. + - Orange: 0-40% of blocks tested. + - Red: file not tested. File is not part of any binary or library used by test suite. + + .. rubric:: Numbers in tested files + :name: numbers_in_tested_files + + - Example: 72.69% (165/227/731) + + - 72.69% - ratio of tested blocks and total blocks in file (generated by TCOV). + - 165 - tested blocks in file (generated by TCOV). + - 227 - total blocks in file (generated by TCOV). + - 31 - total lines in file (by wc -l command). + + .. rubric:: Numbers in not tested files + :name: numbers_in_not_tested_files + + - Example: Not tested (0/?/878). + + - 0 - tested blocks in file (always 0). + - ? - total blocks in file (there is no trivial method to get this number without TCOV). + - 878 - total lines in file (by wc -l command). + + .. rubric:: Numbers in total count + :name: numbers_in_total_count + + - Example: Total: 42% (574/1351). + + - 42% - ratio of tested blocks and total blocks in file. + - 165 - tested blocks in all files in directory (sum of numbers generated by TCOV). + - 227 - total blocks in all files in directory (sum of numbers generated by TCOV). + + - These numbers doesn't count blocks in files which are not tested (marked with red color), + because we don't know number of blocks there. + - Total count at the end of report counts blocks in all tested files in all directories. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cryptography_functions/index.rst b/security/nss/doc/rst/legacy/cryptography_functions/index.rst new file mode 100644 index 0000000000..ca3fb8601a --- /dev/null +++ b/security/nss/doc/rst/legacy/cryptography_functions/index.rst @@ -0,0 +1,500 @@ +.. _mozilla_projects_nss_cryptography_functions: + +Cryptography functions +====================== + +.. container:: + + The public functions listed here perform cryptographic operations based on the PKCS #11 + interface. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_AlgtagToMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Authenticate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_BlockData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ChangePW`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CheckUserPassword`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CipherOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CloneContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ConfigurePKCS11`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.6 and later | + | 1_ConvertSessionPrivKeyToTokenPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``P | MXR | 3.6 and later | + | K11_ConvertSessionSymKeyToTokenSymKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.11 and later | + | PK11_CopyTokenPrivKeyToSessionPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateContextBySymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateDigestContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateGenericObject`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEAlgorithmID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEV2AlgorithmID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Derive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyTokenObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestBegin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestFinal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DoesMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivKeyInfo`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Finalize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindBestKEAMatch`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertAndKeyByRecipientList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_FindCertAndKeyByRecipientListNew`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertByIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertFromDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1035673` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindFixedKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026891` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindKeyByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindPrivateKeyFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotsByNames`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaHasKEA`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaMapSig`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotListElement`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateFortezzaIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPair`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithOpFlags`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateNewParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandom`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandomOnSlot`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllTokens`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllSlotsForCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlotMultiple`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestWrapMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBlockSize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCertFromPrivateKey`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCurrentWrapIndex`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultArray`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultFlags`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDisabledReason`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetFirstSafe`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalKeySlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyGen`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyStrength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMinimumPwdLength`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModInfo`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModule`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModuleID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSafe`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPadMechanism`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBECryptoMechanism`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBEIV`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPQGParamsFromPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrevGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateModulusLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1030779` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotSeries`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyType`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetTokenInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026964` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWindow`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HashBuf`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HasRootCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCert`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCertForKeyToSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCRL`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportDERCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.4 and later | + | 1_ImportDERPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.4 and later | + | PK11_ImportPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportSymKeyWithFlags`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_InitPin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFIPS`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsDisabled`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFriendly`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsInternal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1022991` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsRemovable`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IVFromParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_KeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListCerts`` | MXR | 3.2 and later. Updated 3.8 with new | + | | | options. See bug | + | | | `215186 `__ | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListFixedKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPrivKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPublicKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LoadPrivKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LogoutAll`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MakeKEAPubKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_MapPBEMechanismToCryptoMechanism`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MapSignKeyType`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MechanismToAlgtag`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MergeTokens`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MoveSymKey`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedLogin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedUserInit`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamToAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PBEKeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PrivDecryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ProtectedAuthenticationPath`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDecryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDerive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDeriveWithKDF`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubWrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RandomUpdate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReadRawAttribute`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReferenceSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ResetToken`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RestoreContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContextAlloc`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetFortezzaHack`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1023128` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSlotPWValues`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Sign`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SignatureLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SymKeyFromHandle`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenExists`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGen`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGenWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenRefresh`` | MXR | 3.7.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForNicknameInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForSubjectInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseSlotCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnlinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UpdateSlotAttribute`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserEnableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserDisableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Verify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_VerifyKeyOK`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WaitForTokenEvent`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WriteRawAttribute`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Encrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Decrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCertificate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCRL`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DerSignData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DestroyCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_LookupCrls`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_NewCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_QuickDERDecodeItem`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CacheStaticFlags`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ConvertToPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPublicKey`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopySubjectPublicKeyInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateDHPrivateKey`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateECPrivateKey`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateSubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.4 and later | + | `SECKEY_DecodeDERSubjectPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslkey#1051017` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToBasePointOrderLen`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToKeySize`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroyPublicKeyList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroySubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_GetPublicKeyType`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_PublicKeyStrengthInBits`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_SignatureLen`` | MXR | 3.11.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst new file mode 100644 index 0000000000..3db5071502 --- /dev/null +++ b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst @@ -0,0 +1,34 @@ +.. _mozilla_projects_nss_deprecated_ssl_functions: + +Deprecated SSL functions +======================== + +.. container:: + + The following SSL functions have been replaced with newer versions. The deprecated functions are + not supported by the new SSL shared libraries. Applications that want to use the SSL shared + libraries must convert to calling the new replacement functions listed below. + + Each function name is linked to its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | Replacement in NSS 3.2 | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1220189` | | jects_nss_ssl_functions_sslfnc#1086543` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207298` | | jects_nss_ssl_functions_sslfnc#1084747` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1206365` | | jects_nss_ssl_functions_sslfnc#1068466` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1231825` | | jects_nss_ssl_functions_sslfnc#1232052` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207350` | | jects_nss_ssl_functions_sslfnc#1104647` | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst new file mode 100644 index 0000000000..4d6d09bcf0 --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_keys_as_session_objects: + +Encrypt Decrypt MAC Keys As Session Objects +=========================================== + +.. _nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.: + +`NSS Sample Code 4: Encryption/Decryption and MAC Keys Using Session. <#nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses session objects. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst new file mode 100644 index 0000000000..e2f399166b --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_using_token: + +Encrypt and decrypt MAC using token +=================================== + +.. _nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.: + +`NSS sample code 3: encryption/decryption and MAC using token object. <#nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses token for storing. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/faq/index.rst b/security/nss/doc/rst/legacy/faq/index.rst new file mode 100644 index 0000000000..6c022e7ff1 --- /dev/null +++ b/security/nss/doc/rst/legacy/faq/index.rst @@ -0,0 +1,280 @@ +.. _mozilla_projects_nss_faq: + +NSS FAQ +======= + +.. _general_questions: + +`General Questions <#general_questions>`__ +------------------------------------------ + +.. _what_is_network_security_services_.28nss.29: + +`What is Network Security Services (NSS) <#what_is_network_security_services_.28nss.29>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform + development of security-enabled client and server applications. It provides a complete + open-source implementation of the crypto libraries used by Mozilla and other companies in the + Firefox browser, AOL Instant Messenger (AIM), server products from Red Hat, and other products. + + For an overview of NSS, see :ref:`mozilla_projects_nss_overview`. For detailed information on the + open-source NSS project, see `NSS Project Page `__. + +.. _what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f: + +`What can I do with NSS? Is NSS appropriate for my application? <#what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + If you want add support for SSL, S/MIME, or other Internet security standards to your + application, you can use Network Security Services (NSS) to do so. Because NSS provides complete + support for all versions of SSL and TLS, it is particularly well-suited for applications that + need to communicate with the many clients and servers that already support the SSL protocol. + + The PKCS #11 interface included in NSS means that your application can use `hardware + accelerators <#what_hardware_accelerators_are_supported.3f>`__ on the server and + :ref:`mozilla_projects_nss_faq#how_do_i_integrate_smart_cards_into_my_application_using_nss_3f` + for two-factor authentication. + +.. _how_does_nss_compare_to_openssl.3f: + +`How does NSS compare to OpenSSL? <#how_does_nss_compare_to_openssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + `OpenSSL `__ is an open source project that implements server-side SSL, + TLS, and a general-purpose cryptography library. It does not support PKCS #11. It is based on the + SSLeay library developed by Eric A. Young and Tim J. Hudson. OpenSSL is widely used in Apache + servers and is licensed under an Apache-style licence. + + NSS supports both server and client applications as well as + :ref:`mozilla_projects_nss_pkcs11_faq` and S/MIME. To permit its use in as many contexts as + possible, NSS is licensed under the `Mozilla Public License `__, + version 2. + +.. _how_does_nss_compare_to_sslref.3f: + +`How does NSS compare to SSLRef? <#how_does_nss_compare_to_sslref.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + SSLRef was an early reference implementation of the SSL protocol. It contains bugs that were + never fixed, doesn't support TLS or the new 56-bit export cipher suites, and does not contain the + fix to the Bleichenbacher attack on PKCS#1. + + Netscape no longer maintains SSLRef or makes it available. It was built as an example of an SSL + implementation, not for creating production applications. + + NSS was designed from the ground up for use by commercial developers. It provides a complete + software development kit that uses the same architecture used to support security features in + many client and server products from Netscape and other companies. + +.. _what_platforms_and_development_environments_are_supported.3f: + +`What platforms and development environments are supported? <#what_platforms_and_development_environments_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + iPlanet E-Commerce Solutions has certified NSS 3.1 on 18 platforms, including AIX 4.3, HP-UX + 11.0, Red Hat Linux 6.0, Solaris (2.6 or later), Windows NT (4.0 or later), and Windows 2000. + Other contributors are in the process of certifying additional platforms. The NSS 3.1 API + requires C or C++ development environments. + + For the latest NSS release notes and detailed platform information, see `Project + Information `__. + +.. _what_cryptography_standards_are_supported.3f: + +`What cryptography standards are supported? <#what_cryptography_standards_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports `SSL v2 and v3 `__, + `TLS `__, `PKCS + #5 `__, `PKCS + #7 `__, `PKCS + #11 `__, `PKCS + #12 `__, + `S/MIME `__, and + `X.509 v3 `__ + certificates. For complete details, see `Encryption Technologies Available in NSS + 3.11 `__ + +.. _what_is_the_relationship_between_nss_and_psm.3f: + +`What is the relationship between NSS and PSM? <#what_is_the_relationship_between_nss_and_psm.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Personal Security Manager (PSM) is built on top of NSS. It consists of libraries and a daemon + designed to support cross-platform development of security-enabled client applications. The PSM + binary provides a client module that performs cryptographic operations on behalf of applications. + Netscape Personal Security Manager ships with Netscape 6 and the Gateway Connected Touch Pad with + Instant AOL, and is also available for use with Communicator 4.7x. + +.. _where_can_i_get_the_source.3f: + +`Where can I get the source? <#where_can_i_get_the_source.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For instructions on how to check out and build the NSS source code, see + :ref:`mozilla_projects_nss_nss_sources_building_testing`. + +.. _how_much_does_it_cost.3f: + +`How much does it cost? <#how_much_does_it_cost.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS source code and binaries (when they become available) are completely free. No license fees, + no royalty fees, no subscription fees. + +.. _developer_questions: + +`Developer Questions <#developer_questions>`__ +---------------------------------------------- + +.. _what_hardware_accelerators_are_supported.3f: + +`What hardware accelerators are supported? <#what_hardware_accelerators_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for hardware acceleration. Since leading accelerator vendors + such as Chrysalis-IT, nCipher, and Rainbow Technologies also support this interface, NSS-enabled + applications can support a wide variety of hardware accelerators. + +.. _how_do_i_integrate_smart_cards_into_my_application_using_nss.3f: + +`How do I integrate smart cards into my application using NSS? <#how_do_i_integrate_smart_cards_into_my_application_using_nss.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for smart card integration. Applications that use the PKCS + #11 interface provided by NSS will therefore support smart cards from leading vendors such as + ActiveCard, Litronic, SafeNet, and SecureID Technologies that also support the PKCS #11 + interface. + +.. _does_nss_require_netscape_portable_runtime_.28nspr.29.3f: + +`Does NSS require Netscape Portable Runtime (NSPR)? <#does_nss_require_netscape_portable_runtime_.28nspr.29.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: To provide cross-platform support, NSS utilizes Netscape Portable Runtime (NSPR) + libraries as a portability interface and implementation that provides consistent + cross-platform semantics for network I/O and threading models. You can use NSPR throughout + your application or only in the portion that calls into NSS. Mozilla strongly recommends that + multithreaded applications use the NSPR or native OS threading model. (In recent NSPR + releases, the NSPR threading model is compatible with the native threading model if the OS has + native threads.) Alternatively, you can adapt the open-source NSPR implementation to be + compatible with your existing application's threading models. More information about NSPR may + be found at `Netscape Portable + Runtime `__. + :name: to_provide_cross-platform_support_nss_utilizes_netscape_portable_runtime_nspr_libraries_as_a_portability_interface_and_implementation_that_provides_consistent_cross-platform_semantics_for_network_io_and_threading_models._you_can_use_nspr_throughout_your_application_or_only_in_the_portion_that_calls_into_nss._mozilla_strongly_recommends_that_multithreaded_applications_use_the_nspr_or_native_os_threading_model._in_recent_nspr_releases_the_nspr_threading_model_is_compatible_with_the_native_threading_model_if_the_os_has_native_threads._alternatively_you_can_adapt_the_open-source_nspr_implementation_to_be_compatible_with_your_existing_applications_threading_models._more_information_about_nspr_may_be_found_at_netscape_portable_runtime. + +.. _can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f: + +`Can I use NSS even if my application protocol isn't HTTP? <#can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Yes, TLS is independent of application protocols. It works with common Internet standard + application protocols (HTTP, POP3, FTP, SMTP, etc.) as well as custom application protocols using + TCP/IP. + +.. _how_long_does_it_take_to_integrate_nss_into_my_application.3f: + +`How long does it take to integrate NSS into my application? <#how_long_does_it_take_to_integrate_nss_into_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The integration effort depends on an number of factors, such as developer skill set, application + complexity, and the level of security required for your application. NSS includes detailed + documentation of the SSL API and sample code that demonstrates basic SSL functionality (setting + up an encrypted session, server authentication, and client authentication) to help jump start the + integration process. However, there is little or no documentation currently available for the + rest of the NSS API. If your application requires sophisticated certificate management, smart + card support, or hardware acceleration, your integration effort will be more extensive. + +.. _where_can_i_download_the_nss_tools.3f: + +`Where can I download the NSS tools? <#where_can_i_download_the_nss_tools.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Binary builds of NSS for several platforms including the command-line tools can be downloaded + from + `http://ftp.mozilla.org/pub/mozilla.o...y/nss/releases/ `__. + NSPR, which you will need as well, can be downloaded from + http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/. + +.. _how_can_i_learn_more_about_ssl.3f: + +`How can I learn more about TLS? <#how_can_i_learn_more_about_ssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + See https://developer.mozilla.org/en-US/docs/Glossary/TLS. + +.. _licensing_questions: + +`Licensing Questions <#licensing_questions>`__ +---------------------------------------------- + +.. _how_is_nss_licensed.3f: + +`How is NSS licensed? <#how_is_nss_licensed.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is available under the `Mozilla Public License `__, version 2. + +.. _is_nss_available_outside_the_united_states.3f: + +`Is NSS available outside the United States? <#is_nss_available_outside_the_united_states.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + Yes; see `Build Instructions for NSS + 3.1. `__ and + ftp://ftp.mozilla.org/pub/mozilla.org/security/. However, NSS source code is subject to the U.S. + Export Administration Regulations and other U.S. law, and may not be exported or re-exported to + certain countries (Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and + Taleban-controlled areas of Afghanistan as of January 2000) or to persons or entities prohibited + from receiving U.S. exports (including those (a) on the Bureau of Industry and Security Denied + Parties List or Entity List, (b) on the Office of Foreign Assets Control list of Specially + Designated Nationals and Blocked Persons, and (c) involved with missile technology or nuclear, + chemical or biological weapons). + + For more information about U.S. export controls on encryption software, see the `Mozilla Crypto + FAQ `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst new file mode 100644 index 0000000000..3e141cca5d --- /dev/null +++ b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst @@ -0,0 +1,129 @@ +.. _mozilla_projects_nss_fips_mode_-_an_explanation: + +FIPS Mode - an explanation +========================== + +.. container:: + + NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla + does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an + informal explanation of what it is, who would use it, and why. + +.. _what's_a_fips: + +`What's a FIPS? <#what's_a_fips>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The United States government defines many (several hundred) "Federal Information Processing + Standard" (FIPS) documents. (FIPS sounds plural, but is singular; one FIPS document is a FIPS, + not a FIP.) FIPS documents define rules, regulations, and standards for many aspects of handling + of information by computers and by people. They apply to all US government employees and + personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by + US government personnel must conform to all the relevant FIPS regulations. If you're a + US government worker, and you want to use a Mozilla software product such as Firefox, or any + product that uses NSS, you will want to use it in a way that is fully conformant with all the + relevant FIPS regulations. Some other governments have also adopted many of the FIPS + regulations, so their applicability is somewhat wider than just the US government's personnel. + +.. _what_is_fips_mode: + +`What is "FIPS Mode"? <#what_is_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. + It requires that ALL cryptography done by US government personnel MUST be done in "devices" that + have been independently tested, and certified by NIST, to meet the extensive requirements of that + document. These devices may be hardware or software, but either way, they must function and + behave as prescribed. So, in order for Mozilla Firefox and Thunderbird to be usable by people + who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate + in a mode that is fully compliant with FIPS 140. To that end, Mozilla products can function in a + "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS. (Note, + the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2. FIPS 140-3 is being devised by + NIST now for adoption in the future.) Users who are subject to the FIPS regulations must ensure + that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully + conformant. Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + +.. _is_nss_fips-140_compliant: + +`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla's NSS cryptographic software has been tested by government-approved independent testing + labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous + occasions. As of this writing, NSS is now being retested to be recertified for the fifth time. + NSS was the first open source cryptographic library to be FIPS certified. + +.. _what_is_fips_mode_all_about: + +`What is FIPS Mode all about? <#what_is_fips_mode_all_about>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified + "device". Whether it is hardware or software, that device will have all the cryptographic + engines in it, and also will stores keys and perhaps certificates inside. The device must have a + way for users to authenticate to it (to "login" to it), to prove to it that they are authorized + to use the cryptographic engines and keys it contains. It may not do ANY cryptographic + operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates + it holds to be seen or used, except when a user has successfully authenticated to it. If users + authenticate to it with a password, it must ensure that their passwords are strong passwords. It + must implement the US government standard algorithms (also specified in other FIPS documents) + such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application + wants it to perform. It must generate or derive cryptographic keys and store them internally. + Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless + they are encrypted ("wrapped") in a special way. This makes it difficult to move keys from one + device to another, and consequently, all crypto engines and key storage must be in a single + device rather than being split up into several devices. + +.. _how_does_this_affect_firefox_users: + +`How does this affect Firefox users? <#how_does_this_affect_firefox_users>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + These requirements have several implications for users. In FIPS Mode, every user must have a + good strong "master password", and must enter it each time they start or restart Firefox before + they can visit any web sites that use cryptography (https). Firefox can only use the latest + version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can + only talk to those servers that use FIPS standard encryption algorithms such as AES or + triple-DES. Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used + in FIPS mode. + +.. _how_is_fips_mode_different_from_normal_non-fips_mode: + +`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short + password. The user is only required to enter his master password to use his own private keys (if + he has any) or to access his stored web-site passwords. The user is not required to enter the + master password to visit ordinary https servers, nor to view certificates he has previously + stored. In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic + algorithms, such as RC4 and MD5, to communicate with older https servers. NSS divides its + operations up into two "devices" rather than just one. One device does all the operations that + may be done without needing to authenticate, and the other device stores the user's certificates + and private keys and performs operations that use those private keys. + +.. _how_do_i_put_firefox_into_fips_mode: + +`How do I put Firefox into FIPS Mode? <#how_do_i_put_firefox_into_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the + NSS + wiki `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation/index.rst b/security/nss/doc/rst/legacy/http_delegation/index.rst new file mode 100644 index 0000000000..f0288507d9 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issueing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation_clone/index.rst b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst new file mode 100644 index 0000000000..ac305b2dd3 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation_clone: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issuing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/index.rst b/security/nss/doc/rst/legacy/index.rst new file mode 100644 index 0000000000..fd55e1ac10 --- /dev/null +++ b/security/nss/doc/rst/legacy/index.rst @@ -0,0 +1,178 @@ +.. _mozilla_projects_nss: + +Legacy documentation +==================== + +.. toctree:: + :maxdepth: 2 + :glob: + :hidden: + + getting_started_with_nss/index.rst + introduction_to_network_security_services/index.rst + More documentation + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It currently is very deprecated and likely incorrect or broken in many places. + +Legacy Documentation +-------------------- + +.. container:: + + **Network Security Services** (**NSS**) is a set of libraries designed to support cross-platform + development of security-enabled client and server applications. Applications built with NSS can + support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and + other security standards. + + For detailed information on standards supported, see :ref:`mozilla_projects_nss_overview`. For a + list of frequently asked questions, see the :ref:`mozilla_projects_nss_faq`. + + NSS is available under the Mozilla Public License. For information on downloading NSS releases as + tar files, see :ref:`mozilla_projects_nss_nss_sources_building_testing`. + + If you're a developer and would like to contribute to NSS, you might want to read the documents + :ref:`mozilla_projects_nss_an_overview_of_nss_internals` and + :ref:`mozilla_projects_nss_getting_started_with_nss`. + + .. rubric:: Background Information + :name: Background_Information + + :ref:`mozilla_projects_nss_overview` + Provides a brief summary of NSS and its capabilities. + :ref:`mozilla_projects_nss_faq` + Answers basic questions about NSS. + `Introduction to Public-Key Cryptography `__ + Explains the basic concepts of public-key cryptography that underlie NSS. + `Introduction to SSL `__ + Introduces the SSL protocol, including information about cryptographic ciphers supported by + SSL and the steps involved in the SSL handshake. + + .. rubric:: Getting Started + :name: Getting_Started + + :ref:`mozilla_projects_nss_nss_releases` + This page contains information about the current and past releases of NSS. + :ref:`mozilla_projects_nss_nss_sources_building_testing` + Instructions on how to build NSS on the different supported platforms. + `Get Mozilla Source Code Using Mercurial `__ + Information about with working with Mercurial. + `Get Mozilla Source Code Using CVS (deprecated) `__ + Old deprecated CVS documentation. + + .. rubric:: NSS APIs + :name: NSS_APIs + + :ref:`mozilla_projects_nss_introduction_to_network_security_services` + Provides an overview of the NSS libraries and what you need to know to use them. + :ref:`mozilla_projects_nss_ssl_functions` + Summarizes the SSL APIs exported by the NSS shared libraries. + :ref:`mozilla_projects_nss_reference` + API used to invoke SSL operations. + :ref:`mozilla_projects_nss_nss_api_guidelines` + Explains how the libraries and code are organized, and guidelines for developing code (naming + conventions, error handling, thread safety, etc.) + :ref:`mozilla_projects_nss_nss_tech_notes` + Links to NSS technical notes, which provide latest information about new NSS features and + supplementary documentation for advanced topics in programming with NSS. + + .. rubric:: Tools, testing, and other technical details + :name: Tools_testing_and_other_technical_details + + :ref:`mozilla_projects_nss_building` + Describe how to check out and build NSS releases. + + :ref:`mozilla_projects_nss_nss_developer_tutorial` + How to make changes in NSS. Coding style, maintaining ABI compatibility. + + :ref:`mozilla_projects_nss_tools` + Tools for developing, debugging, and managing applications that use NSS. + :ref:`mozilla_projects_nss_nss_sample_code` + Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. + :ref:`mozilla_projects_nss_nss_third-party_code` + A list of third-party code included in the NSS library. + `NSS 3.2 Test Suite `__ + **Archived version.** Describes how to run the standard NSS tests. + `NSS Performance Reports `__ + **Archived version.** Links to performance reports for NSS 3.2 and later releases. + `Encryption Technologies Available in NSS 3.11 `__ + **Archived version.** Lists the cryptographic algorithms used by NSS 3.11. + `NSS 3.1 Loadable Root Certificates `__ + **Archived version.** Describes the scheme for loading root CA certificates. + `cert7.db `__ + **Archived version.** General format of the cert7.db database. + + .. rubric:: PKCS #11 information + :name: PKCS_11_information + + - :ref:`mozilla_projects_nss_pkcs11` + - :ref:`mozilla_projects_nss_pkcs11_implement` + - :ref:`mozilla_projects_nss_pkcs11_module_specs` + - :ref:`mozilla_projects_nss_pkcs11_faq` + - `Using the JAR Installation Manager to Install a PKCS #11 Cryptographic + Module `__ + - `PKCS #11 Conformance Testing - Archived + version `__ + + .. rubric:: CA certificates pre-loaded into NSS + :name: CA_certificates_pre-loaded_into_NSS + + - `Mozilla CA certificate policy `__ + - `List of pre-loaded CA certificates `__ + + - Consumers of this list must consider the trust bit setting for each included root + certificate. `More + Information `__, `Extracting + roots and their trust bits `__ + + .. rubric:: NSS is built on top of Netscape Portable Runtime (NSPR) + :name: NSS_is_built_on_top_of_Netscape_Portable_Runtime_NSPR + + `Netscape Portable Runtime `__ + NSPR project page. + `NSPR Reference `__ + NSPR API documentation. + + .. rubric:: Additional Information + :name: Additional_Information + + - `Using the window.crypto object from + JavaScript `__ + - :ref:`mozilla_projects_nss_http_delegation` + - :ref:`mozilla_projects_nss_tls_cipher_suite_discovery` + - :ref:`mozilla_projects_nss_certificate_download_specification` + - :ref:`mozilla_projects_nss_fips_mode_-_an_explanation` + - :ref:`mozilla_projects_nss_key_log_format` + + .. rubric:: Planning + :name: Planning + + Information on NSS planning can be found at `wiki.mozilla.org `__, + including: + + - `FIPS Validation `__ + - `NSS Roadmap page `__ + - `NSS Improvement + Project `__ + +Community +~~~~~~~~~ + +- View Mozilla Security forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + +- View Mozilla Cryptography forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + + +Related Topics +~~~~~~~~~~~~~~ + +- `Security `__ + diff --git a/security/nss/doc/rst/legacy/index/index.rst b/security/nss/doc/rst/legacy/index/index.rst new file mode 100644 index 0000000000..a592015264 --- /dev/null +++ b/security/nss/doc/rst/legacy/index/index.rst @@ -0,0 +1,11751 @@ +.. _mozilla_projects_nss_index: + +Index +===== + +.. container:: + + **Found 361 pages:** + + +--------------------------------+--------------------------------+--------------------------------+ + | # | Page | Tags and summary | + +================================+================================+================================+ + | 1 | :ref:`mozilla_projects_nss` | **JSS, NSS, NeedsMigration** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Network Security Services** | + | | | (**NSS**) is a set of | + | | | libraries designed to support | + | | | cross-platform development of | + | | | security-enabled client and | + | | | server applications. | + | | | Applications built with NSS | + | | | can support SSL v3, TLS, PKCS | + | | | #5, PKCS #7, PKCS #11, PKCS | + | | | #12, S/MIME, X.509 v3 | + | | | certificates, and other | + | | | security standards. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 2 | :ref:`mozilla_projects_nss | **API, Intermediate, Intro, | + | | _an_overview_of_nss_internals` | NSS, Tools** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A High-Level Overview to the | + | | | Internals of `Network Security | + | | | Services | + | | | (NSS) `__ | + | | | Software developed by the | + | | | Mozilla.org projects | + | | | traditionally used its own | + | | | implementation of security | + | | | protocols and cryptographic | + | | | algorithms, originally called | + | | | Netscape Security Services, | + | | | nowadays called Network | + | | | Security Services (NSS). NSS | + | | | is a library written in the C | + | | | programming language. It's | + | | | free and open source software, | + | | | and many other software | + | | | projects have decided to use | + | | | it. In order to support | + | | | multiple operating systems | + | | | (OS), it is based on a cross | + | | | platform portability layer, | + | | | called the Netscape Portable | + | | | Runtime (NSPR), which provides | + | | | cross platform application | + | | | programming interfaces (APIs) | + | | | for OS specific APIs like file | + | | | system access, memory | + | | | management, network | + | | | communication, and | + | | | multithreaded programming. | + | | | NSS offers lots of | + | | | functionality; we'll walk | + | | | through the list of modules, | + | | | design principles, and | + | | | important relevant standards. | + | | | In order to allow | + | | | interoperability between | + | | | software and devices that | + | | | perform cryptographic | + | | | operations, NSS conforms to a | + | | | standard called PKCS#11. (Note | + | | | that it's important to look at | + | | | the number 11, as there are | + | | | other PKCS standards with | + | | | different numbers that define | + | | | quite different topics.) | + | | | A software or hardware module | + | | | conforming to the PKCS#11 | + | | | standard implements an | + | | | interface of C calls, which | + | | | allow querying the | + | | | characteristics and offered | + | | | services of the module. | + | | | Multiple elements of NSS's own | + | | | modules have been implemented | + | | | with this interface, and NSS | + | | | makes use of this interface | + | | | when talking to those modules. | + | | | This strategy allows NSS to | + | | | work with many hardware | + | | | devices (e.g., to speed up the | + | | | calculations required for | + | | | cryptographic operations, or | + | | | to access smartcards that | + | | | securely protect a secret key) | + | | | and software modules (e.g., to | + | | | allow to load such modules as | + | | | a plugin that provides | + | | | additional algorithms or | + | | | stores key or trust | + | | | information) that implement | + | | | the PKCS#11 interface. | + | | | A core element of NSS is | + | | | FreeBL, a base library | + | | | providing hash functions, big | + | | | number calculations, and | + | | | cryptographic algorithms. | + | | | Softoken is an NSS module that | + | | | exposes most FreeBL | + | | | functionality as a PKCS#11 | + | | | module. | + | | | Some cryptography uses the | + | | | same secret key for both | + | | | encrypting and decrypting, for | + | | | example password based | + | | | encryption (PBE). This is | + | | | often sufficient if you | + | | | encrypt data for yourself, but | + | | | as soon as you need to | + | | | exchange signed/encrypted data | + | | | with communication partners, | + | | | using public key encryption | + | | | simplifies the key management. | + | | | The environment that describes | + | | | how to use public key | + | | | encryption is called Public | + | | | Key Infrastructure (PKI). The | + | | | public keys that are exchanged | + | | | between parties are | + | | | transported using a container; | + | | | the container is called a | + | | | certificate, following | + | | | standard X.509 version 3. A | + | | | certificate contains lots of | + | | | other details; for example, it | + | | | contains a signature by a | + | | | third party that expresses | + | | | trust in the ownership | + | | | relationship for the | + | | | certificate. The trust | + | | | assigned by the third party | + | | | might be restricted to certain | + | | | uses, which are listed in | + | | | certificate extensions that | + | | | are contained in the | + | | | certificate. | + | | | Many (if not most) of the | + | | | operations performed by NSS | + | | | involve the use of X.509 | + | | | certificates (often | + | | | abbreviated as “cert”, | + | | | unfortunately making it easy | + | | | to confuse with the term | + | | | “computer emergency response | + | | | team“). | + | | | When checking whether a | + | | | certificate is trusted or not, | + | | | it's necessary to find a | + | | | relevant trust anchor (root | + | | | certificate) that represents | + | | | the signing capability of a | + | | | trusted third party, usually | + | | | called a Certificate Authority | + | | | (CA). A trust anchor is just | + | | | another X.509 certificate that | + | | | is already known and has been | + | | | deliberately marked as trusted | + | | | by a software vendor, | + | | | administrators inside an | + | | | organizational infrastructure, | + | | | or the software user. NSS | + | | | ships a predefined set of CA | + | | | certificates. This set, | + | | | including their trust | + | | | assignments, is provided by | + | | | NSS as a software module, | + | | | called CKBI (“built-in root | + | | | certificates”), which also | + | | | implements the PKCS#11 | + | | | interface. On an | + | | | organizational level the | + | | | contents of the set are | + | | | managed according to the | + | | | Mozilla CA policy. On a | + | | | technical level the set is a | + | | | binary software module. | + | | | A cryptographic transaction, | + | | | such as encryption or | + | | | decryption related to a data | + | | | exchange, usually involves | + | | | working with the X.509 certs | + | | | of your communication partners | + | | | (peer). It's also required | + | | | that you safely keep your own | + | | | secret keys that belong to | + | | | your own certificates. You | + | | | might want to protect the | + | | | storage of your secret keys | + | | | with PBE. You might decide to | + | | | modify the default trust | + | | | provided by NSS. All of this | + | | | requires storing, looking up, | + | | | and retrieving data. NSS | + | | | simplifies performing these | + | | | operations by offering storage | + | | | and management APIs. NSS | + | | | doesn't require the programmer | + | | | to manage individual files | + | | | containing individual | + | | | certificates or keys. Instead, | + | | | NSS offers to use its own | + | | | database(s). Once you have | + | | | imported certificates and keys | + | | | into the NSS database, you can | + | | | easily look them up and use | + | | | them again. | + | | | Because of NSS's expectation | + | | | to operate with an NSS | + | | | database, it's mandatory that | + | | | you perform an initialization | + | | | call, where you tell NSS which | + | | | database you will be using. In | + | | | the most simple scenario, the | + | | | programmer will provide a | + | | | directory on your filesystem | + | | | as a parameter to the init | + | | | function, and NSS is designed | + | | | to do the rest. It will detect | + | | | and open an existing database, | + | | | or it can create a new one. | + | | | Alternatively, should you | + | | | decide that you don't want to | + | | | work with any persistent | + | | | recording of certificates, you | + | | | may initialize NSS in a | + | | | no-database mode. Usually, NSS | + | | | will flush all data to disk as | + | | | soon as new data has been | + | | | added to permanent storage. | + | | | Storage consists of multiple | + | | | files: a key database file, | + | | | which contains your secret | + | | | keys, and a certificate | + | | | database file which contains | + | | | the public portion of your own | + | | | certificates, the certificates | + | | | of peers or CAs, and a list of | + | | | trust decisions (such as to | + | | | not trust a built-in CA, or to | + | | | explicitly trust other CAs). | + | | | Examples for the database | + | | | files are key3.db and | + | | | cert8.db, where the numbers | + | | | are file version numbers. A | + | | | third file contains the list | + | | | of external PKCS#11 modules | + | | | that have been registered to | + | | | be used by NSS. The file could | + | | | be named secmod.db, but in | + | | | newer database generations a | + | | | file named pkcs11.txt is used. | + | | | Only NSS is allowed to access | + | | | and manipulate these database | + | | | files directly; a programmer | + | | | using NSS must go through the | + | | | APIs offered by NSS to | + | | | manipulate the data stored in | + | | | these files. The programmer's | + | | | task is to initialize NSS with | + | | | the required parameters (such | + | | | as a database), and NSS will | + | | | then transparently manage the | + | | | database files. | + | | | Most of the time certificates | + | | | and keys are supposed to be | + | | | stored in the NSS database. | + | | | Therefore, after initial | + | | | import or creation, the | + | | | programmer usually doesn't | + | | | deal with their raw bytes. | + | | | Instead, the programmer will | + | | | use lookup functions, and NSS | + | | | will provide an access handle | + | | | that will be subsequently used | + | | | by the application's code. | + | | | Those handles are reference | + | | | counted. NSS will usually | + | | | create an in-memory (RAM) | + | | | presentation of certificates, | + | | | once a certificate has been | + | | | received from the network, | + | | | read from disk, or looked up | + | | | from the database, and prepare | + | | | in-memory data structures that | + | | | contain the certificate's | + | | | properties, as well as | + | | | providing a handle for the | + | | | programmer to use. Once the | + | | | application is done with a | + | | | handle, it should be released, | + | | | allowing NSS to free the | + | | | associated resources. When | + | | | working with handles to | + | | | private keys it's usually | + | | | difficult (and undesired) that | + | | | an application gets access to | + | | | the raw key data; therefore it | + | | | may be difficult to extract | + | | | such data from NSS. The usual | + | | | minimum requirement is that | + | | | private keys must be wrapped | + | | | using a protective layer (such | + | | | as password-based encryption). | + | | | The intention is to make it | + | | | easier to review code for | + | | | security. The less code that | + | | | has access to raw secret keys, | + | | | the less code that must be | + | | | reviewed. | + | | | NSS has only limited | + | | | functionality to look up raw | + | | | keys. The preferred approach | + | | | is to use certificates, and to | + | | | look up certificates by | + | | | properties such as the | + | | | contained subject name | + | | | (information that describes | + | | | the owner of the certificate). | + | | | For example, while NSS | + | | | supports random calculation | + | | | (creation) of a new | + | | | public/private key pair, it's | + | | | difficult to work with such a | + | | | raw key pair. The usual | + | | | approach is to create a | + | | | certificate signing request | + | | | (CSR) as soon as an | + | | | application is done with the | + | | | creation step, which will have | + | | | created a handle to the key | + | | | pair, and which can be used | + | | | for the necessary related | + | | | operations, like producing a | + | | | proof-of-ownership of the | + | | | private key, which is usually | + | | | required when submitting the | + | | | public key with a CSR to a CA. | + | | | The usual follow up action is | + | | | receiving a signed certificate | + | | | from a CA. (However, it's also | + | | | possible to use NSS | + | | | functionality to create a | + | | | self-signed certificate, | + | | | which, however, usually won't | + | | | be trusted by other parties.) | + | | | Once received, it's sufficient | + | | | to tell NSS to import such a | + | | | new certificate into the NSS | + | | | database, and NSS will | + | | | automatically perform a lookup | + | | | of the embedded public key, be | + | | | able to find the associated | + | | | private key, and subsequently | + | | | be able to treat it as a | + | | | personal certificate. (A | + | | | personal certificate is a | + | | | certificate for which the | + | | | private key is in possession, | + | | | and which could be used for | + | | | signing data or for decrypting | + | | | data.) A unique nickname | + | | | can/should be assigned to the | + | | | certificate at the time of | + | | | import, which can later be | + | | | used to easily identify and | + | | | retrieve it. | + | | | It's important to note that | + | | | NSS requires strict cleanup | + | | | for all handles returned by | + | | | NSS. The application should | + | | | always call the appropriate | + | | | dereference (destroy) | + | | | functions once a handle is no | + | | | longer needed. This is | + | | | particularly important for | + | | | applications that might need | + | | | to close a database and | + | | | reinitialize NSS using a | + | | | different one, without | + | | | restarting. Such an operation | + | | | might fail at runtime if data | + | | | elements are still being | + | | | referenced. | + | | | In addition to the FreeBL, | + | | | Softoken, and CKBI modules, | + | | | there is an utility library | + | | | for general operations (e.g., | + | | | encoding/decoding between data | + | | | formats, a list of | + | | | standardized object | + | | | identifiers (OID)). NSS has an | + | | | SSL/TLS module that implements | + | | | the Secure Sockets | + | | | Layer/Transport Layer Security | + | | | network protocols, an S/MIME | + | | | module that implements CMS | + | | | messaging used by secure email | + | | | and some instant messaging | + | | | implementations, a DBM library | + | | | that implements the classic | + | | | database storage, and finally | + | | | a core NSS library for the big | + | | | set of “everything else”. | + | | | Newer generations of the | + | | | database use the SQLite | + | | | database to allow concurrent | + | | | access by multiple | + | | | applications. | + | | | All of the above are provided | + | | | as shared libraries. The CRMF | + | | | library, which is used to | + | | | produce certain kinds of | + | | | certificate requests, is | + | | | available as a library for | + | | | static linking only. | + | | | When dealing with certificates | + | | | (X.509), file formats such as | + | | | PKCS#12 (certificates and | + | | | keys), PKCS#7 (signed data), | + | | | and message formats as CMS, we | + | | | should mention ASN.1, which is | + | | | a syntax for storing | + | | | structured data in a very | + | | | efficient (small sized) | + | | | presentation. It was | + | | | originally developed for | + | | | telecommunication systems at | + | | | times where it was critical to | + | | | minimize data as much as | + | | | possible (although it still | + | | | makes sense to use that | + | | | principle today for good | + | | | performance). In order to | + | | | process data available in the | + | | | ASN.1 format, the usual | + | | | approach is to parse it and | + | | | transfer it to a presentation | + | | | that requires more space but | + | | | is easier to work with, such | + | | | as (nested) C data structures. | + | | | Over the time NSS has received | + | | | three different ASN.1 parser | + | | | implementations, each having | + | | | their own specific properties, | + | | | advantages and disadvantages, | + | | | which is why all of them are | + | | | still being used (nobody has | + | | | yet dared to replace the older | + | | | with the newer ones because of | + | | | risks for side effects). When | + | | | using the ASN.1 parser(s), a | + | | | template definition is passed | + | | | to the parser, which will | + | | | analyze the ASN.1 data stream | + | | | accordingly. The templates are | + | | | usually closely aligned to | + | | | definitions found in RFC | + | | | documents. | + | | | A data block described as DER | + | | | is usually in ASN.1 format. | + | | | You must know which data you | + | | | are expecting, and use the | + | | | correct template for parsing, | + | | | based on the context of your | + | | | software's interaction. Data | + | | | described as PEM is a base64 | + | | | encoded presentation of DER, | + | | | usually wrapped between human | + | | | readable BEGIN/END lines. NSS | + | | | prefers the binary | + | | | presentation, but is often | + | | | capable to use base64 or ASCII | + | | | presentations, especially when | + | | | importing data from files. A | + | | | recent development adds | + | | | support for loading external | + | | | PEM files that contain private | + | | | keys, in a software library | + | | | called nss-pem, which is | + | | | separately available, but | + | | | should eventually become a | + | | | core part of NSS. | + | | | Looking at the code level, NSS | + | | | deals with blocks of raw data | + | | | all the time. The common | + | | | structure to store such an | + | | | untyped block is SECItem, | + | | | which contains a size and an | + | | | untyped C pointer variable. | + | | | When dealing with memory, NSS | + | | | makes use of arenas, which are | + | | | an attempt to simplify | + | | | management with the limited | + | | | offerings of C (because there | + | | | are no destructors). The idea | + | | | is to group multiple memory | + | | | allocations in order to | + | | | simplify cleanup. Performing | + | | | an operation often involves | + | | | allocating many individual | + | | | data items, and the code might | + | | | be required to abort a task at | + | | | many positions in the logic. | + | | | An arena is requested once | + | | | processing of a task starts, | + | | | and all memory allocations | + | | | that are logically associated | + | | | to that task are requested | + | | | from the associated arena. The | + | | | implementation of arenas makes | + | | | sure that all individual | + | | | memory blocks are tracked. | + | | | Once a task is done, | + | | | regardless whether it | + | | | completed or was aborted, the | + | | | programmer simply needs to | + | | | release the arena, and all | + | | | individually allocated blocks | + | | | will be released | + | | | automatically. Often freeing | + | | | is combined with immediately | + | | | erasing (zeroing, zfree) the | + | | | memory associated to the | + | | | arena, in order to make it | + | | | more difficult for attackers | + | | | to extract keys from a memory | + | | | dump. | + | | | NSS uses many C data | + | | | structures. Often NSS has | + | | | multiple implementations for | + | | | the same or similar concepts. | + | | | For example, there are | + | | | multiple presentations of | + | | | certificates, and the NSS | + | | | internals (and sometimes even | + | | | the application using NSS) | + | | | might have to convert between | + | | | them. | + | | | Key responsibilites of NSS are | + | | | verification of signatures and | + | | | certificates. In order to | + | | | verify a digital signature, we | + | | | have to look at the | + | | | application data (e.g., a | + | | | document that was signed), the | + | | | signature data block (the | + | | | digital signature), and a | + | | | public key (as found in a | + | | | certificate that is believed | + | | | to be the signer, e.g., | + | | | identified by metadata | + | | | received together with the | + | | | signature). The signature is | + | | | verified if it can be shown | + | | | that the signature data block | + | | | must have been produced by the | + | | | owner of the public key | + | | | (because only that owner has | + | | | the associated private key). | + | | | Verifying a certificate (A) | + | | | requires some additional | + | | | steps. First, you must | + | | | identify the potential signer | + | | | (B) of a certificate (A). This | + | | | is done by reading the “issuer | + | | | name” attribute of a | + | | | certificate (A), and trying to | + | | | find that issuer certificate | + | | | (B) (by looking for a | + | | | certificate that uses that | + | | | name as its “subject name”). | + | | | Then you attempt to verify the | + | | | signature found in (A) using | + | | | the public key found in (B). | + | | | It might be necessary to try | + | | | multiple certificates (B1, B2, | + | | | ...) each having the same | + | | | subject name. | + | | | After succeeding, it might be | + | | | necessary to repeat this | + | | | procedure recursively. The | + | | | goal is to eventually find a | + | | | certificate B (or C or ...) | + | | | that has an appropriate trust | + | | | assigned (e.g., because it can | + | | | be found in the CKBI module | + | | | and the user hasn't made any | + | | | overriding trust decisions, or | + | | | it can be found in a NSS | + | | | database file managed by the | + | | | user or by the local | + | | | environment). | + | | | After having successfully | + | | | verified the signatures in a | + | | | (chain of) issuer | + | | | certificate(s), we're still | + | | | not done with verifying the | + | | | certificate A. In a PKI it's | + | | | suggested/required to perform | + | | | additional checks. For | + | | | example: Certificates were | + | | | valid at the time the | + | | | signature was made, name in | + | | | certificates matches the | + | | | expected signer (check subject | + | | | name, common name, email, | + | | | based on application), the | + | | | trust restrictions recorded | + | | | inside the certificate | + | | | (extensions) permit the use | + | | | (e.g., encryption might be | + | | | allowed, but not signing), and | + | | | based on | + | | | environment/application policy | + | | | it might be required to | + | | | perform a revocation check | + | | | (OCSP or CRL), that asks the | + | | | issuer(s) of the certificates | + | | | whether there have been events | + | | | that made it necessary to | + | | | revoke the trust (revoke the | + | | | validity of the cert). | + | | | Trust anchors contained in the | + | | | CKBI module are usually self | + | | | signed, which is defined as | + | | | having identical subject name | + | | | and issuer name fields. If a | + | | | self-signed certificate is | + | | | marked as explicitly trusted, | + | | | NSS will skip checking the | + | | | self-signature for validity. | + | | | NSS has multiple APIs to | + | | | perform verification of | + | | | certificates. There is a | + | | | classic engine that is very | + | | | stable and works fine in all | + | | | simple scenarios, for example | + | | | if all (B) candidate issuer | + | | | certificates have the same | + | | | subject and issuer names and | + | | | differ by validity period; | + | | | however, it works only in a | + | | | limited amount of more | + | | | advanced scenarios. | + | | | Unfortunately, the world of | + | | | certificates has become more | + | | | complex in the recent past. | + | | | New Certificate Authorities | + | | | enter the global PKI market, | + | | | and in order to get started | + | | | with their business, they | + | | | might make deals with | + | | | established CAs and receive | + | | | so-called | + | | | cross-signing-certificates. As | + | | | a result, when searching for a | + | | | trust path from (A) to a | + | | | trusted anchor (root) | + | | | certificate (Z), the set of | + | | | candidate issuer certificates | + | | | might have different issuer | + | | | names (referring to the second | + | | | or higher issuer level). As a | + | | | consequence, it will be | + | | | necessary to try multiple | + | | | different alternative routes | + | | | while searching for (Z), in a | + | | | recursive manner. Only the | + | | | newer verification engine | + | | | (internally named libPKIX) is | + | | | capable of doing that | + | | | properly. | + | | | It's worth mentioning the | + | | | Extended Validation (EV) | + | | | principle, which is an effort | + | | | by software vendors and CAs to | + | | | define a stricter set of rules | + | | | for issuing certificates for | + | | | web site certificates. Instead | + | | | of simply verifying that the | + | | | requester of a certificate is | + | | | in control of an | + | | | administrative email address | + | | | at the desired web site's | + | | | domain, it's required that the | + | | | CA performs a verification of | + | | | real world identity documents | + | | | (such as a company | + | | | registration document with the | + | | | country's authority), and it's | + | | | also required that a browser | + | | | software performs a revocation | + | | | check with the CA, prior to | + | | | granting validity to the | + | | | certificate. In order to | + | | | distinguish an EV certificate, | + | | | CAs will embed a policy OID in | + | | | the certificate, and the | + | | | browser is expected to verify | + | | | that a trust chain permits the | + | | | end entity (EE) certificate to | + | | | make use of the policy. Only | + | | | the APIs of the newer libPKIX | + | | | engine are capable of | + | | | performing a policy | + | | | verification. | + | | | That's a good opportunity to | + | | | talk about SSL/TLS connections | + | | | to servers in general (not | + | | | just EV, not just websites). | + | | | Whenever this document | + | | | mentions SSL, it refers to | + | | | either SSL or TLS. (TLS is a | + | | | newer version of SSL with | + | | | enhanced features.) | + | | | When establishing an SSL | + | | | connection to a server, (at | + | | | least) a server certificate | + | | | (and its trust chain) is | + | | | exchanged from the server to | + | | | the client (e.g., the | + | | | browser), and the client | + | | | verifies that the certificate | + | | | can be verified (including | + | | | matching the name of the | + | | | expected destination server). | + | | | Another part of the handshake | + | | | between both parties is a key | + | | | exchange. Because public key | + | | | encryption is more expensive | + | | | (more calculations required) | + | | | than symmetric encryption | + | | | (where both parties use the | + | | | same key), a key agreement | + | | | protocol will be executed, | + | | | where the public and private | + | | | keys are used to proof and | + | | | verify the exchanged initial | + | | | information. Once the key | + | | | agreement is done, a symmetric | + | | | encryption will be used (until | + | | | a potential re-handshake on an | + | | | existing channel). The | + | | | combination of the hash and | + | | | encryption algorithms used for | + | | | a SSL connection is called a | + | | | cipher suite. | + | | | NSS ships with a set of cipher | + | | | suites that it supports at a | + | | | technical level. In addition, | + | | | NSS ships with a default | + | | | policy that defines which | + | | | cipher suites are enabled by | + | | | default. An application is | + | | | able to modify the policy used | + | | | at program runtime, by using | + | | | function calls to modify the | + | | | set of enabled cipher suites. | + | | | If a programmer wants to | + | | | influence how NSS verifies | + | | | certificates or how NSS | + | | | verifies the data presented in | + | | | a SSL connection handshake, it | + | | | is possible to register | + | | | application-defined callback | + | | | functions which will be called | + | | | by NSS at the appropriate | + | | | point of time, and which can | + | | | be used to override the | + | | | decisions made by NSS. | + | | | If you would like to use NSS | + | | | as a toolkit that implements | + | | | SSL, remember that you must | + | | | init NSS first. But if you | + | | | don't care about modifying the | + | | | default trust permanently | + | | | (recorded on disk), you can | + | | | use the no-database init | + | | | calls. When creating the | + | | | network socket for data | + | | | exchange, note that you must | + | | | use the operating system | + | | | independent APIs provided by | + | | | NSPR and NSS. It might be | + | | | interesting to mention a | + | | | property of the NSPR file | + | | | descriptors, which are stacked | + | | | in layers. This means you can | + | | | define multiple layers that | + | | | are involved in data | + | | | processing. A file descriptor | + | | | has a pointer to the first | + | | | layer handling the data. That | + | | | layer has a pointer to a | + | | | potential second layer, which | + | | | might have another pointer to | + | | | a third layer, etc. Each layer | + | | | defines its own functions for | + | | | the | + | | | ope | + | | | n/close/read/write/poll/select | + | | | (etc.) functions. When using | + | | | an SSL network connection, | + | | | you'll already have two | + | | | layers, the basic NSPR layer | + | | | and an SSL library layer. The | + | | | Mozilla applications define a | + | | | third layer where application | + | | | specific processing is | + | | | performed. You can find more | + | | | details in the NSPR reference | + | | | documents. | + | | | NSS occassionally has to | + | | | create outbound network | + | | | connections, in addition to | + | | | the connections requested by | + | | | the application. Examples are | + | | | retrieving OCSP (Online | + | | | Certificate Status Protocol) | + | | | information or downloading a | + | | | CRL (Certificate Revocation | + | | | List). However, NSS doesn't | + | | | have an implementation to work | + | | | with network proxies. If you | + | | | must support proxies in your | + | | | application, you are able to | + | | | register your own | + | | | implementation of an http | + | | | request callback interface, | + | | | and NSS can use your | + | | | application code that supports | + | | | proxies. | + | | | When using hashing, | + | | | encryption, and decryption | + | | | functions, it is possible to | + | | | stream data (as opposed to | + | | | operating on a large buffer). | + | | | Create a context handle while | + | | | providing all the parameters | + | | | required for the operation, | + | | | then call an “update” function | + | | | multiple times to pass subsets | + | | | of the input to NSS. The data | + | | | will be processed and either | + | | | returned directly or sent to a | + | | | callback function registered | + | | | in the context. When done, you | + | | | call a finalization function | + | | | that will flush out any | + | | | pending data and free the | + | | | resources. | + | | | This line is a placeholder for | + | | | future sections that should | + | | | explain how libpkix works and | + | | | is designed. | + | | | If you want to work with NSS, | + | | | it's often helpful to use the | + | | | command line utilities that | + | | | are provided by the NSS | + | | | developers. There are tools | + | | | for managing NSS databases, | + | | | for dumping or verifying | + | | | certificates, for registering | + | | | PKCS#11 modules with a | + | | | database, for processing CMS | + | | | encrypted/signed messages, | + | | | etc. | + | | | For example, if you wanted to | + | | | create your own pair of keys | + | | | and request a new certificate | + | | | from a CA, you could use | + | | | certutil to create an empty | + | | | database, then use certutil to | + | | | operate on your database and | + | | | create a certificate request | + | | | (which involves creating the | + | | | desired key pair) and export | + | | | it to a file, submit the | + | | | request file to the CA, | + | | | receive the file from the CA, | + | | | and import the certificate | + | | | into your database. You should | + | | | assign a good nickname to a | + | | | certificate when importing it, | + | | | making it easier for you to | + | | | refer to it later. | + | | | It should be noted that the | + | | | first database format that can | + | | | be accessed simultaneously by | + | | | multiple applications is | + | | | key4.db/cert9.db – database | + | | | files with lower numbers will | + | | | most likely experience | + | | | unrecoverable corruption if | + | | | you access them with multiple | + | | | applications at the same time. | + | | | In other words, if your | + | | | browser or your server | + | | | operates on an older NSS | + | | | database format, don't use the | + | | | NSS tools to operate on it | + | | | while the other software is | + | | | executing. At the time of | + | | | writing NSS and the Mozilla | + | | | applications still use the | + | | | older database file format by | + | | | default, where each | + | | | application has its own NSS | + | | | database. | + | | | If you require a copy of a | + | | | certificate stored in an NSS | + | | | database, including its | + | | | private key, you can use | + | | | pk12util to export it to the | + | | | PKCS#12 file format. If you | + | | | require it in PEM format, you | + | | | could use the openssl pkcs12 | + | | | command (that's not NSS) to | + | | | convert the PKCS#12 file to | + | | | PEM. | + | | | This line is a placeholder for | + | | | how to prepare a database, how | + | | | to dump a cert, and how to | + | | | convert data. | + | | | You might have been motivated | + | | | to work with NSS because it is | + | | | used by the Mozilla | + | | | applications such as Firefox, | + | | | Thunderbird, etc. If you build | + | | | the Mozilla application, it | + | | | will automatically build the | + | | | NSS library, too. However, if | + | | | you want to work with the NSS | + | | | command line tools, you will | + | | | have to follow the standalone | + | | | NSS build instructions, and | + | | | build NSS outside of the | + | | | Mozilla application sources. | + | | | The key database file will | + | | | contain at least one symmetric | + | | | key, which NSS will | + | | | automatically create on | + | | | demand, and which will be used | + | | | to protect your secret | + | | | (private) keys. The symmetric | + | | | key can be protected with PBE | + | | | by setting a master password | + | | | on the database. As soon as | + | | | you set a master password, an | + | | | attacker stealing your key | + | | | database will no longer be | + | | | able to get access to your | + | | | private key, unless the | + | | | attacker would also succeed in | + | | | stealing the master password. | + | | | Now you might be interest in | + | | | how to get the | + | | | :ref:`mozilla_projects_nss | + | | | _nss_sources_building_testing` | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 3 | :ref:`mozill | **NSS** | + | | a_projects_nss_blank_function` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | One-line description of what | + | | | the function does (more than | + | | | just what it returns). | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 4 | :ref:` | **Guide, NSS, Security** | + | | mozilla_projects_nss_building` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page has detailed | + | | | information on how to build | + | | | NSS. Because NSS is a | + | | | cross-platform library that | + | | | builds on many different | + | | | platforms and has many | + | | | options, it may be complex to | + | | | build. Please read these | + | | | instructions carefully before | + | | | attempting to build. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 5 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_cert_findcertbydercert` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Find a certificate in the | + | | | database that matches a | + | | | DER-encoded certificate. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 6 | :ref:`mozilla_projects_n | **NSS** | + | | ss_cert_findcertbyissuerandsn` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Find a certificate in the | + | | | database with the given issuer | + | | | and serial number. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 7 | :r | **NSS** | + | | ef:`mozilla_projects_nss_certi | | + | | ficate_download_specification` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This document describes the | + | | | data formats used by NSS 3.x | + | | | for installing certificates. | + | | | This document is currently | + | | | being revised and has not yet | + | | | been reviewed for accuracy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 8 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_certificate_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here are used to interact with | + | | | certificate databases. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 9 | :ref:`mozill | **NSS** | + | | a_projects_nss_certverify_log` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | All the NSS verify functions | + | | | except, the \*VerifyNow() | + | | | functions, take a parameter | + | | | called 'CERTVerifyLog'. If you | + | | | supply the log parameter, NSS | + | | | will continue chain validation | + | | | after each error . The log | + | | | tells you what the problem was | + | | | with the chain and what | + | | | certificate in the chain | + | | | failed. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 10 | :ref:`mozil | **NSS** | + | | la_projects_nss_code_coverage` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 11 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_cryptography_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform cryptographic | + | | | operations based on the PKCS | + | | | #11 interface. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 12 | :ref:`mozilla_projects | **NSS** | + | | _nss_deprecated_ssl_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following SSL functions | + | | | have been replaced with newer | + | | | versions. The deprecated | + | | | functions are not supported by | + | | | the new SSL shared libraries. | + | | | Applications that want to use | + | | | the SSL shared libraries must | + | | | convert to calling the new | + | | | replacement functions listed | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 13 | :ref:`mozil | **Decrypt, Encryption, | + | | la_projects_nss_encrypt_decryp | Example, NSS, Sample code** | + | | t_mac_keys_as_session_objects` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses session objects. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 14 | :ref:`mozilla_projects_nss_en | **Example, Intermediate, | + | | crypt_decrypt_mac_using_token` | Mozilla, NSS** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses token for storing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 15 | : | **NSS, NeedsUpdate** | + | | ref:`mozilla_projects_nss_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS is set of libraries, APIs, | + | | | utilities, and documentation | + | | | designed to support | + | | | cross-platform development of | + | | | security-enabled client and | + | | | server applications. It | + | | | provides a complete | + | | | open-source implementation of | + | | | the crypto libraries used by | + | | | Mozilla and other companies in | + | | | the Firefox browser, AOL | + | | | Instant Messenger (AIM), | + | | | server products from Red Hat, | + | | | and other products. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 16 | :ref:`mozilla_projects_n | **NSS** | + | | ss_fips_mode_-_an_explanation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS has a "FIPS Mode" that can | + | | | be enabled when NSS is | + | | | compiled in a specific way. | + | | | (Note: Mozilla does not | + | | | distribute a "FIPS Mode"-ready | + | | | NSS with Firefox.) This page | + | | | attempts to provide an | + | | | informal explanation of what | + | | | it is, who would use it, and | + | | | why. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 17 | :ref:`mozilla_projects | **Samples WIP** | + | | _nss_getting_started_with_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) is a base library for | + | | | cryptographic algorithms and | + | | | secure network protocols used | + | | | by Mozilla software. | + | | | Would you like to get involved | + | | | and help us to improve the | + | | | core security of Mozilla | + | | | Firefox and other applications | + | | | that make use of NSS? We are | + | | | looking forward to your | + | | | contributions! | + | | | We have a large list of tasks | + | | | waiting for attention, and we | + | | | are happy to assist you in | + | | | identifying areas that match | + | | | your interest or skills. You | + | | | can find us on `Mozilla | + | | | IRC `__ | + | | | in channel | + | | | `#nss < | + | | | https://chat.mozilla.org/#/room/#nss:mozilla.org>`__ | + | | | or you could ask your | + | | | questions on the | + | | | `mozilla.dev.tech.cry | + | | | pto `__ | + | | | newsgroup. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 18 | :ref:`mozilla_proje | **Advanced, Guide, NSS** | + | | cts_nss_http_delegation_clone` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Up to version 3.11, | + | | | :ref:`mozilla_projects_nss` | + | | | connects directly over | + | | | `HTTP `__ | + | | | to an OCSP responder to make | + | | | the request and fetch the | + | | | response. It does so in a | + | | | blocking fashion, and also | + | | | directly to the responder, | + | | | ignoring any proxy the | + | | | application may wish to use. | + | | | This causes OCSP requests to | + | | | fail if the network | + | | | environment requires the use | + | | | of a proxy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 19 | :ref:`mozilla | **Advanced, Guide, NSS** | + | | _projects_nss_http_delegation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Up to version 3.11, | + | | | :ref:`mozilla_projects_nss` | + | | | connects directly over | + | | | `HTTP `__ | + | | | to an OCSP responder to make | + | | | the request and fetch the | + | | | response. It does so in a | + | | | blocking fashion, and also | + | | | directly to the responder, | + | | | ignoring any proxy the | + | | | application may wish to use. | + | | | This causes OCSP requests to | + | | | fail if the network | + | | | environment requires the use | + | | | of a proxy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 20 | :ref:`moz | **Introduction, Mozilla, NSS** | + | | illa_projects_nss_introduction | | + | | _to_network_security_services` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Network Security Services | + | | | (NSS)** is a set of libraries | + | | | designed to support | + | | | cross-platform development of | + | | | communications applications | + | | | that support SSL, S/MIME, and | + | | | other Internet security | + | | | standards. For a general | + | | | overview of NSS and the | + | | | standards it supports, see | + | | | :ref:`m | + | | | ozilla_projects_nss_overview`. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 21 | :ref:`mozilla_project | **D** | + | | s_nss_jss_4_4_0_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Java Security Services | + | | | (JSS) team has released JSS | + | | | 4.4.0, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 22 | : | **Guide, JSS, NSS, | + | | ref:`mozilla_projects_nss_jss` | NeedsMigration** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **The JSS project has been | + | | | relocated!** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 23 | :ref:`mozilla_proj | **JSS, NSS** | + | | ects_nss_jss_4_3_releasenotes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services for | + | | | Java (JSS) 4.3 is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 24 | :ref:`mozilla_project | **JSS, NSPR, NSS** | + | | s_nss_jss_4_3_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services for | + | | | Java (JSS) 4.3.1 is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 25 | :ref | **JSS** | + | | :`mozilla_projects_nss_jss_bui | | + | | ld_instructions_for_jss_4_3_x` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 26 | :ref | **JSS** | + | | :`mozilla_projects_nss_jss_bui | | + | | ld_instructions_for_jss_4_4_x` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 27 | :ref:`moz | **JSS** | + | | illa_projects_nss_jss_jss_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech.cry | + | | | pto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 28 | :ref:`mozilla_projec | **Crypto, JSS, Security** | + | | ts_nss_jss_jss_provider_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page has been moved to | + | | | http://www.do | + | | | gtagpki.org/wiki/JSS_Provider. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 29 | :r | | + | | ef:`mozilla_projects_nss_jss_m | | + | | ozilla-jss_jca_provider_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | * | + | | | Newsgroup:*\ `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 30 | :ref:`mozil | **JSS** | + | | la_projects_nss_jss_using_jss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *News | + | | | group:*\ `mozilla.dev.tech.cry | + | | | pto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 31 | :ref:`mozill | | + | | a_projects_nss_key_log_format` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Key logs can be written by NSS | + | | | so that external programs can | + | | | decrypt TLS connections. | + | | | Wireshark 1.6.0 and above can | + | | | use these log files to decrypt | + | | | packets. You can tell | + | | | Wireshark where to find the | + | | | key file via | + | | | *Edit→Preferences→Pro | + | | | tocols→TLS→(Pre)-Master-Secret | + | | | log filename*. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 32 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_memory_allocation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS makes extensive use of | + | | | NSPR's PLArenaPools for memory | + | | | allocation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 33 | :ref:`mozilla_pr | | + | | ojects_nss_modutil-tasks_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 34 | :ref:`mozilla | **Example** | + | | _projects_nss_new_nss_samples` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This collection of sample code | + | | | demonstrates how NSS can be | + | | | used for cryptographic | + | | | operations, certificate | + | | | handling, SSL, etc. It also | + | | | demonstrates some best | + | | | practices in the application | + | | | of cryptography. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 35 | :ref:`moz | **Gecko, NSS, Security** | + | | illa_projects_nss_notes_on_tls | | + | | _-_ssl_3_0_intolerant_servers` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A number of Netscape 6.x/7.x | + | | | and Mozilla users have | + | | | reported that some secure | + | | | sites -- typically sites | + | | | featuring online transactions | + | | | or online banking over the | + | | | HTTPS protocol -- do not | + | | | display any content at all. | + | | | The connection seems | + | | | terminated and a blank page is | + | | | displayed. This is the main | + | | | symptom of the problem when | + | | | Mozilla based browsers | + | | | encounter TLS/SSL 3.0 | + | | | intolerant servers. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 36 | :ref:`mozilla_projects_nss_n | | + | | ss_3_11_10_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: mozilla. | + | | | dev.tech.crypto | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 37 | :ref:`mozilla_projects_ns | | + | | s_nss_3_12_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 38 | :ref:`mozilla_projects_nss_ | | + | | nss_3_12_1_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 39 | :ref:`mozilla_projects_nss_ | | + | | nss_3_12_2_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 40 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 41 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.4 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.4 are | + | | | described in the "`Bugs | + | | | Fixed <#bugsfixed>`__" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 42 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.5 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.5 are | + | | | described in the "`Bugs | + | | | Fixed `__" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 43 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_6_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.6 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.6 are | + | | | described in the "`Bugs | + | | | Fixed `__" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 44 | :ref:`mozilla_projects | **NSS** | + | | _nss_nss_3_12_9_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.9 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.9 are | + | | | described in the "\ `Bugs | + | | | Fixed <#bugsfixed>`__" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 45 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_14_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.14, which is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 46 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.1 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 47 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.2 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. NSS 3.14.2 | + | | | should be used with NSPR 4.9.5 | + | | | or newer. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 48 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.3 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 49 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.4 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 50 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.5 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 51 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_15_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.15, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 52 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.1 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 53 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.2 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 54 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.3 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 55 | :ref:`mozilla_projects_n | | + | | ss_nss_3_15_3_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.3.1 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.3.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 56 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.4 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 57 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.5 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 58 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_16_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.16, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 59 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.1 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 60 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 61 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.1 is a patch | + | | | release for NSS 3.16, based on | + | | | the NSS 3.16.2 release. The | + | | | bug fixes in NSS 3.16.2.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 62 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.2 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 63 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.3 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 64 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.3 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 65 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.4 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 66 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_16_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.5 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 67 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_16_6_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.6 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.6 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 68 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_17_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.17, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 69 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_17_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.1 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 70 | :ref:`mozilla_projects | | + | | _nss_nss_3_17_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.2 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 71 | :ref:`mozilla_projects | **Guide, NSS, Security** | + | | _nss_nss_3_17_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.3 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 72 | :ref:`mozilla_projects | **Guide, NSS, Security** | + | | _nss_nss_3_17_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.4 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 73 | :ref:`mozilla_projec | **Guide, NSS, NeedsContent, | + | | ts_nss_nss_3_18_release_notes` | Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.18, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 74 | :ref:`mozilla_projects | **Networking, Security** | + | | _nss_nss_3_18_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.18.1 is a patch | + | | | release for NSS 3.18. The bug | + | | | fixes in NSS 3.18.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 75 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_19_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.19, which is a minor | + | | | security release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 76 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.1 is a security | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 77 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2 is a patch | + | | | release for NSS 3.19 that | + | | | addresses compatibility issues | + | | | in NSS 3.19.1. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 78 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.1 is a patch | + | | | release for NSS 3.19.2. The | + | | | bug fixes in NSS 3.19.2.1 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 79 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.2 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixes in NSS 3.19.2.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 80 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.3 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixes in NSS 3.19.2.3 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 81 | :ref:`mozilla_projects_n | **NSS** | + | | ss_nss_3_19_2_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.4 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixed in NSS 3.19.2.4 | + | | | have been described in the | + | | | "Security Fixes" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 82 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.3 is a patch | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 83 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.4 is a patch | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.4 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 84 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_20_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.20, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 85 | :ref:`mozilla_projects | | + | | _nss_nss_3_20_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.20.1 is a patch | + | | | release for NSS 3.20. The bug | + | | | fixes in NSS 3.20.1 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 86 | :ref:`mozilla_projects | | + | | _nss_nss_3_20_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.20.2 is a security | + | | | patch release for NSS 3.20. | + | | | The bug fixes in NSS 3.20.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 87 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_21_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 2016-01-07, this page has been | + | | | updated to include additional | + | | | information about the release. | + | | | The sections "Security Fixes" | + | | | and "Acknowledgements" have | + | | | been added. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 88 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.1 is a security | + | | | patch release for NSS 3.21. | + | | | The bug fixes in NSS 3.21.1 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 89 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.2 is a security | + | | | patch release for NSS 3.21.1. | + | | | The bug fixes in NSS 3.21.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 90 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.3 is a security | + | | | patch release for NSS 3.21.2. | + | | | The bug fixes in NSS 3.21.3 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 91 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.4 is a security | + | | | patch release for NSS 3.21. | + | | | The bug fixes in NSS 3.21.4 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 92 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_22_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.22, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 93 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.1 is a patch | + | | | release for NSS 3.22. The bug | + | | | fixes in NSS 3.22.1 are | + | | | described in the "Notable | + | | | Changes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 94 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.2 is a security | + | | | patch release for NSS 3.22. | + | | | The bug fixes in NSS 3.22.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 95 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.3 is a patch | + | | | release for NSS 3.22. The bug | + | | | fixes in NSS 3.22.3 are | + | | | described in the "Bugs fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 96 | :ref:`mozilla_projec | **Networking, Security** | + | | ts_nss_nss_3_23_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.23, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 97 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_24_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.24, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 98 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_25_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.25, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 99 | :ref:`mozilla_projects | | + | | _nss_nss_3_25_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.25.1 is a patch | + | | | release for NSS 3.25. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 100 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_26_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.26, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 101 | :ref:`mozilla_projects | | + | | _nss_nss_3_26_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.26.2 is a patch | + | | | release for NSS 3.26. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 102 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_27_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.27, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 103 | :ref:`mozilla_projects | | + | | _nss_nss_3_27_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.27.1 is a patch | + | | | release for NSS 3.27. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 104 | :ref:`mozilla_projects | | + | | _nss_nss_3_27_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.27.2 is a patch | + | | | release for NSS 3.27. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 105 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_28_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.28, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 106 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.1 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 107 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.2 is a patch | + | | | release for NSS 3.28. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 108 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.3 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 109 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.4 is a security | + | | | patch release for NSS 3.28. | + | | | The bug fixes in NSS 3.28.4 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 110 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.5 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 111 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_29_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.29, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 112 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.1 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 113 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.2 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 114 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.3 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 115 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.5 is a security | + | | | patch release for NSS 3.29. | + | | | The bug fixes in NSS 3.29.5 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 116 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_30_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.30, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 117 | :ref:`mozilla_projects | | + | | _nss_nss_3_30_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.30.1 is a security | + | | | patch release for NSS 3.30. | + | | | The bug fixes in NSS 3.30.1 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 118 | :ref:`mozilla_projects | | + | | _nss_nss_3_30_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.30.2 is a patch | + | | | release for NSS 3.30. The bug | + | | | fixes in NSS 3.30.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 119 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_31_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.31, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 120 | :ref:`mozilla_projects | | + | | _nss_nss_3_31_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.31.1, which is a patch | + | | | release for NSS 3.31. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 121 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_32_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.32, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 122 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_33_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.33, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 123 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_34_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.34, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 124 | :ref:`mozilla_projects | | + | | _nss_nss_3_34_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.34.1, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 125 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_35_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.35, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 126 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_36_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.36, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 127 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.1 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 128 | :ref:`mozilla_projects | **NSS, Release Notes** | + | | _nss_nss_3_36_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.2 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 129 | :ref:`mozilla_projects | **NSS, Release Notes** | + | | _nss_nss_3_36_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.4 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 130 | :ref:`mozilla_projects | **Mozilla, NSS, Release | + | | _nss_nss_3_36_5_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.5 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 131 | :ref:`mozilla_projects | **Mozilla, NSS, Release | + | | _nss_nss_3_36_6_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.6 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.6 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 132 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_7_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.7 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.7 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 January 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 133 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_8_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.8 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.8 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 21 June 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 134 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_37_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.37, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 135 | :ref:`mozilla_projects | | + | | _nss_nss_3_37_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.37.1 is a patch | + | | | release for NSS 3.37. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 136 | :ref:`mozilla_project | | + | | s_nss_nss_3_37_3release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.37.3 is a patch | + | | | release for NSS 3.37. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 137 | :ref:`mozilla_projec | **Mozilla, NSS, Release | + | | ts_nss_nss_3_38_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.38, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 138 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_39_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.39, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 139 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_40_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.40, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 140 | :ref:`mozilla_projects | | + | | _nss_nss_3_40_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.40.1, which is a patch | + | | | release for NSS 3.40 | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 141 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_41_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.41 on 7 December 2018, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 142 | :ref:`mozilla_projects | | + | | _nss_nss_3_41_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.41.1 is a patch | + | | | release for NSS 3.41. The bug | + | | | fixes in NSS 3.41.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 22 January 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 143 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_42_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.42 on 25 January 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 144 | :ref:`mozilla_projects | | + | | _nss_nss_3_42_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.42.1 on 31 January | + | | | 2019, which is a patch | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 145 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_43_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.43 on 16 March 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 146 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_44_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.44 on 10 May 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 147 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.1 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 21 June 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 148 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.2 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 2 October 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 149 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.3 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 November 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 150 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.44.4 on **19 May | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 151 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_45_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.45 on **5 July 2019**, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 152 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_46_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.46 on **30 August | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 153 | :ref:`mozilla_projects | | + | | _nss_nss_3_46_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.46.1 is a patch | + | | | release for NSS 3.46. The bug | + | | | fixes in NSS 3.46.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 2 October 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 154 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_47_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.47 on **18 October | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 155 | :ref:`mozilla_projects | | + | | _nss_nss_3_47_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.47.1 is a patch | + | | | release for NSS 3.47. The bug | + | | | fixes in NSS 3.47.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 November 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 156 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_48_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.48 on **5 December | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 157 | :ref:`mozilla_projects | | + | | _nss_nss_3_48_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.48.1 is a patch | + | | | release for NSS 3.48. The bug | + | | | fixes in NSS 3.48.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **13 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 158 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_49_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.49 on **3 January | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 159 | :ref:`mozilla_projects | | + | | _nss_nss_3_49_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.49.1 is a patch | + | | | release for NSS 3.49. The bug | + | | | fixes in NSS 3.49.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **13 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 160 | :ref:`mozilla_projects | | + | | _nss_nss_3_49_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.49.2 is a patch | + | | | release for NSS 3.49. The bug | + | | | fixes in NSS 3.49.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **23 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 161 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_50_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.50 on **7 February | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 162 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_51_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.51 on **6 March | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 163 | :ref:`mozilla_projects | | + | | _nss_nss_3_51_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.51.1 on **3 April | + | | | 2020**. This is a minor | + | | | release focusing on functional | + | | | bug fixes and low-risk patches | + | | | only. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 164 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_52_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.52 on **1 May 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 165 | :ref:`mozilla_projects | | + | | _nss_nss_3_52_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.52.1 on **19 May | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 166 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_53_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.53 | + | | | on **29 May 2020**. NSS 3.53 | + | | | will be a long-term support | + | | | release, supporting Firefox 78 | + | | | ESR. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 167 | :ref:`mozilla_projects | | + | | _nss_nss_3_53_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.53.1 on **16 June | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 168 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_54_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.54 on **26 June | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 169 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_55_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.55 on **24 July | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 170 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_56_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.56 on **21 August | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 171 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_57_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.57 on **18 September | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 172 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_58_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.58 on **16 October | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 173 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_59_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.59 on **13 November | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 174 | :ref:`mozilla_projects | | + | | _nss_nss_3_59_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.59.1 on **18 December | + | | | 2020**, which is a patch | + | | | release for NSS 3.59. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 175 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_60_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.60 on **11 December | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 176 | :ref:`mozilla_projects | | + | | _nss_nss_3_60_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.60.1 | + | | | on **4 January 2021**, which | + | | | is a patch release for NSS | + | | | 3.60. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 177 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_61_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.61 | + | | | on **22 January 2021**, which | + | | | is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 178 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_62_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.62 | + | | | on **19 February 2021**, which | + | | | is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 179 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_63_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.63 was released on | + | | | **18 March 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 180 | :ref:`mozilla_projects | | + | | _nss_nss_3_63_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.63.1 was released on | + | | | **6 April 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 181 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_64_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.64 was released on | + | | | **15 April 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 182 | :ref:`mozilla_pr | | + | | ojects_nss_nss_api_guidelines` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 183 | :ref:`mozilla_pr | | + | | ojects_nss_nss_config_options` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The specified ciphers will be | + | | | allowed by policy, but an | + | | | application may allow more by | + | | | policy explicitly: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 184 | :ref:`mozilla_projec | **NSS, Tutorial** | + | | ts_nss_nss_developer_tutorial` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Line length** should not | + | | | exceed 80 characters. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 185 | :ref:`mozilla_projects_n | | + | | ss_nss_release_notes_template` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.XX, which is a minor | + | | | release. | + | | | or | + | | | Network Security Services | + | | | (NSS) 3.XX.y is a patch | + | | | release for NSS 3.XX. The bug | + | | | fixes in NSS 3.XX.y are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 186 | :ref:`mozi | **Landing, Mozilla, NSS, | + | | lla_projects_nss_nss_releases` | Networking, Project, Release | + | | | Notes, Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The current **Stable** release | + | | | of NSS is 3.64, which was | + | | | released on **15 April 2021**. | + | | | (:ref:`mozilla_project | + | | | s_nss_nss_3_64_release_notes`) | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 187 | :ref:`mozilla | **Example** | + | | _projects_nss_nss_sample_code` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The collection of sample code | + | | | here demonstrates how NSS can | + | | | be used for cryptographic | + | | | operations, certificate | + | | | handling, SSL, etc. It also | + | | | demonstrates some best | + | | | practices in the application | + | | | of cryptography. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 188 | :ref:`mozilla_projec | | + | | ts_nss_nss_sample_code_enc_dec | | + | | _mac_output_plblic_key_as_csr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and outputs public key as | + | | | certificate signing request | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 189 | :ref:`mozilla_projects_nss_ns | | + | | s_sample_code_enc_dec_mac_usin | | + | | g_key_wrap_certreq_pkcs10_csr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and outputs public key as | + | | | pkcs11 certificate signing | + | | | request | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 190 | :ref:`mozilla_p | | + | | rojects_nss_nss_sample_code_en | | + | | crypt_decrypt_mac_using_token` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses token for storing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 191 | :ref:`mozilla_pr | **Examples, NSS, Security** | + | | ojects_nss_nss_sample_code_nss | | + | | _sample_code_sample_1_hashing` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is an example program | + | | | that demonstrates how to | + | | | compute the hash of a file and | + | | | save it to another file. This | + | | | program illustrates the use of | + | | | NSS message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 192 | :ref:`mozilla_projects_nss_nss | **Examples, NSS, Security** | + | | _sample_code_nss_sample_code_s | | + | | ample_2_initialization_of_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This example program | + | | | demonstrates how to initialize | + | | | the NSS Database. This | + | | | program illustrates password | + | | | handling. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 193 | :ref | **Examples, NSS, Security** | + | | :`mozilla_projects_nss_nss_sam | | + | | ple_code_nss_sample_code_sampl | | + | | e_3_basic_encryption_and_maci` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This example program | + | | | demonstrates how to encrypt | + | | | and MAC a file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 194 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is an example program | + | | | that demonstrates how to do | + | | | key generation and transport | + | | | between cooperating servers. | + | | | This program shows the | + | | | following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 195 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 196 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample3` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 197 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample4` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 198 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample5` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 199 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample6` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 200 | :ref:`mozil | **Examples, NSS, Security** | + | | la_projects_nss_nss_sample_cod | | + | | e_nss_sample_code_utililies_1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is a library of utilities | + | | | used by many of the samples. | + | | | This code shows the following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 201 | : | **HTML, Hashing Sample, | + | | ref:`mozilla_projects_nss_nss_ | JavaScript, NSS, Web | + | | sample_code_sample1_-_hashing` | Development, hashing** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS same code below | + | | | computes the hash of a file | + | | | and saves it to another file, | + | | | this illustrates the use of | + | | | NSS message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 202 | :ref:`mozilla_project | **Example, NSS** | + | | s_nss_nss_sample_code_sample1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 1. A program to compute the | + | | | hash of a file and save it to | + | | | another file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 203 | :ref:`mozilla_pro | **HTML, JavaScript, NSS, NSS | + | | jects_nss_nss_sample_code_samp | Article, NSS Initialization, | + | | le2_-_initialize_nss_database` | Web Development** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS sample code below | + | | | demonstrates how to initialize | + | | | the NSS database. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 204 | :ref:`mozilla_project | | + | | s_nss_nss_sample_code_sample2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 205 | :ref:`mozilla_projects | **EncDeCMac, HTML, NCC, NCC | + | | _nss_nss_sample_code_sample3_- | Article, Web, Web | + | | _encdecmac_using_token_object` | Development** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Computes the hash of a file | + | | | and saves it to another file, | + | | | illustrates the use of NSS | + | | | message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 206 | :ref:`moz | | + | | illa_projects_nss_nss_sample_c | | + | | ode_utiltiies_for_nss_samples` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These utility functions are | + | | | adapted from those found in | + | | | the sectool library used by | + | | | the NSS security tools and | + | | | other NSS test applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 207 | :ref:`mozilla_projects_nss | **Build documentation, Guide, | + | | _nss_sources_building_testing` | NSS, Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Getting the source code of | + | | | :ref:`mozilla_projects_nss`, | + | | | how to build it, and how to | + | | | run its test suite. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 208 | :ref:`mozill | **NSS** | + | | a_projects_nss_nss_tech_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 209 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The main non-streaming APIs | + | | | for these two decoders have an | + | | | identical prototype : | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 210 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The logger displays all | + | | | activity between NSS and a | + | | | specified PKCS #11 module. It | + | | | works by inserting a special | + | | | set of entry points between | + | | | NSS and the module. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 211 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note3` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 212 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note4` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 213 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note5` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Note:** AES encryption, a | + | | | fixed blocksize of 16 bytes is | + | | | used. The Rijndael algorithm | + | | | permits 3 blocksizes (16, 24, | + | | | 32 bytes), but the AES | + | | | standard requires the | + | | | blocksize to be 16 bytes. The | + | | | keysize can vary and these | + | | | keysizes are permitted: 16, | + | | | 24, 32 bytes. | + | | | You can also look at a `sample | + | | | program <. | + | | | ./sample-code/sample2.html>`__ | + | | | illustrating encryption | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 214 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note6` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following applies to NSS | + | | | 3.8 through 3.10 : | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 215 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note7` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This technical note explains | + | | | how to use NSS to perform RSA | + | | | signing and encryption. The | + | | | industry standard for RSA | + | | | signing and encryption is | + | | | `PKCS | + | | | #1 `__. | + | | | NSS supports PKCS #1 v1.5. NSS | + | | | doesn't yet support PKCS #1 | + | | | v2.0 and v2.1, in particular | + | | | OAEP, but OAEP support is on | + | | | our `to-do | + | | | li | + | | | st `__. | + | | | Your contribution is welcome. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 216 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note8` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 217 | :ref:`mozilla_proj | **NSS, Security, Third-Party | + | | ects_nss_nss_third-party_code` | Code** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is a list of third-party | + | | | code included in the NSS | + | | | repository, broken into two | + | | | lists: Code that can be | + | | | compiled into the NSS | + | | | libraries, and code that is | + | | | only used for testing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 218 | :ref:`mozilla_proje | | + | | cts_nss_nss_tools_sslstrength` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 2) sslstrength hostname[:port] | + | | | [ciphers=xyz] [debug] | + | | | [verbose] | + | | | [policy=export|domestic] | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 219 | :ref:` | **NSS** | + | | mozilla_projects_nss_overview` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | If you want to add support for | + | | | SSL, S/MIME, or other Internet | + | | | security standards to your | + | | | application, you can use | + | | | Network Security Services | + | | | (NSS) to implement all your | + | | | security features. NSS | + | | | provides a complete | + | | | open-source implementation of | + | | | the crypto libraries used by | + | | | AOL, Red Hat, Google, and | + | | | other companies in a variety | + | | | of products, including the | + | | | following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 220 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_pkcs_12_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform PKCS #12 | + | | | operations required by some of | + | | | the NSS tools and other | + | | | applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 221 | :ref:`mozilla_ | **NSS** | + | | projects_nss_pkcs_7_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform PKCS #7 | + | | | operations required by mail | + | | | and news applications and by | + | | | some of the NSS tools. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 222 | :ref:`mozilla_ | **NSS** | + | | projects_nss_pkcs11_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | core PKCS #11 functions that | + | | | an application needs for | + | | | communicating with | + | | | cryptographic modules. In | + | | | particular, these functions | + | | | are used for obtaining | + | | | certificates, keys, and | + | | | passwords. This was converted | + | | | from `"Chapter 7: PKCS #11 | + | | | Functions" `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 223 | :ref:`mozilla_ | | + | | projects_nss_pkcs11_implement` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **NOTE:** This document was | + | | | originally for the Netscape | + | | | Security Library that came | + | | | with Netscape Communicator | + | | | 4.0. This note will be removed | + | | | once the document is updated | + | | | for the current version of | + | | | NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 224 | :ref | **NSS, Security** | + | | :`mozilla_projects_nss_pkcs11` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS #11 information for | + | | | implementors of cryptographic | + | | | modules: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 225 | :ref:`mo | **NSS, Security** | + | | zilla_projects_nss_pkcs11_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS searches all the installed | + | | | PKCS #11 modules when looking | + | | | for certificates. Once you've | + | | | installed the module, the | + | | | module's certificates simply | + | | | appear in the list of | + | | | certificates displayed in the | + | | | Certificate window. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 226 | :ref:`mozilla_projects_n | **Authentication, Biometric, | + | | ss_pkcs11_module_installation` | Mozilla, NSS, PKCS #11, | + | | | Projects, Security, Smart | + | | | Card, Smart-card, Smartcard, | + | | | pkcs11** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | `PKCS #11 `__ | + | | | modules are external modules | + | | | which add to Firefox support | + | | | for smartcard readers, | + | | | biometric security devices, | + | | | and external certificate | + | | | stores. This article covers | + | | | the two methods for installing | + | | | PKCS #11 modules into Firefox. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 227 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_pkcs11_module_specs` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following is a proposal to | + | | | the | + | | | `PKCS `__ | + | | | #11 working group made in | + | | | August 2001 for configuring | + | | | PKCS #11 modules. NSS | + | | | currently implements this | + | | | proposal internally. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 228 | :ref:`mozilla_projec | | + | | ts_nss_python_binding_for_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | python-nss is a Python binding | + | | | for NSS (Network Security | + | | | Services) and NSPR (Netscape | + | | | Portable Runtime). NSS | + | | | provides cryptography services | + | | | supporting SSL, TLS, PKI, | + | | | PKIX, X509, PKCS*, etc. NSS is | + | | | an alternative to OpenSSL and | + | | | used extensively by major | + | | | software projects. NSS is | + | | | FIPS-140 certified. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 229 | :ref:`m | **NSS** | + | | ozilla_projects_nss_reference` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Based on | + | | | :ref:`mozilla_projec | + | | | ts_nss_ssl_functions_sslintro` | + | | | in the SSL Reference. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 230 | :ref: | **NSS** | + | | `mozilla_projects_nss_referenc | | + | | e_building_and_installing_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes how to | + | | | build and install NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 231 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_building_and_inst | | + | | alling_nss_build_instructions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Numerous optional features of | + | | | NSS builds are controlled | + | | | through make variables. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 232 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_building_and_inst | | + | | alling_nss_installation_guide` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The build system of NSS | + | | | originated from Netscape's | + | | | build system, which predated | + | | | the "configure; make; make | + | | | test; make install" sequence | + | | | that we're familiar with now. | + | | | Our makefiles also have an | + | | | "install" target, but it has a | + | | | different meaning: our | + | | | "install" means installing the | + | | | headers, libraries, and | + | | | programs in the appropriate | + | | | directories under | + | | | mozilla/dist. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 233 | :ref:`mozilla_project | | + | | s_nss_reference_building_and_i | | + | | nstalling_nss_migration_to_hg` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSPR, NSS and related | + | | | projects have stopped using | + | | | Mozilla'a CVS server, but have | + | | | migrated to | + | | | Mozilla's HG (Mercurial) | + | | | server. | + | | | Each project now lives in its | + | | | own separate space, they can | + | | | be found at: | + | | | https:/ | + | | | /hg.mozilla.org/projects/nspr/ | + | | | https: | + | | | //hg.mozilla.org/projects/nss/ | + | | | https: | + | | | //hg.mozilla.org/projects/jss/ | + | | | | + | | | https://hg.mo | + | | | zilla.org/projects/python-nss/ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 234 | :r | **NSS** | + | | ef:`mozilla_projects_nss_refer | | + | | ence_building_and_installing_n | | + | | ss_sample_manual_installation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS build system does not | + | | | include a target to install | + | | | header files and shared | + | | | libraries in the system | + | | | directories, so this needs to | + | | | be done manually. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 235 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_cancelfunction` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CancelFunction - cancel a | + | | | function running in parallel | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 236 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_closeallsessions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CloseAllSessions - close | + | | | all sessions between an | + | | | application and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 237 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_closesession` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CloseSession - close a | + | | | session opened between an | + | | | application and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 238 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_copyobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CopyObject - create a copy | + | | | of an object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 239 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_createobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CreateObject - create a new | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 240 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_decrypt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Decrypt - Decrypt a block | + | | | of data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 241 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_decryptdigestupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptDigestUpdate - | + | | | continue a multi-part decrypt | + | | | and digest operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 242 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_decryptfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptFinal - finish a | + | | | multi-part decryption | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 243 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_decryptinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptInit - initialize a | + | | | decryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 244 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_decryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptUpdate - decrypt a | + | | | block of a multi-part | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 245 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_decryptverifyupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptVerifyUpdate - | + | | | continue a multi-part decrypt | + | | | and verify operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 246 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_derivekey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DeriveKey - derive a key | + | | | from a base key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 247 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_destroyobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DestroyObject - destroy an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 248 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_digest` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Digest - digest a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 249 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_digestencryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestEncryptUpdate - | + | | | continue a multi-part digest | + | | | and encryption operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 250 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_digestfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestFinal - finish a | + | | | multi-part digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 251 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_digestinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestInit - initialize a | + | | | message-digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 252 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_digestkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestKey - add the digest | + | | | of a key to a multi-part | + | | | digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 253 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_digestupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestUpdate - process the | + | | | next block of a multi-part | + | | | digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 254 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_encrypt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Encrypt - Encrypt a block | + | | | of data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 255 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_encryptfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptFinal - finish a | + | | | multi-part encryption | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 256 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_encryptinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptInit - initialize an | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 257 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_encryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptUpdate - encrypt a | + | | | block of a multi-part | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 258 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_reference_fc_finalize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Finalize - indicate that an | + | | | application is done with the | + | | | PKCS #11 library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 259 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_findobjects` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjects - Search for | + | | | one or more objects | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 260 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_findobjectsfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjectsFinal - | + | | | terminate an object search. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 261 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_findobjectsinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjectsInit - | + | | | initialize the parameters for | + | | | an object search. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 262 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_generatekey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateKey - generate a | + | | | new key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 263 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_generatekeypair` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateKeyPair - generate | + | | | a new public/private key pair | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 264 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_generaterandom` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateRandom - generate a | + | | | random number. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 265 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getattributevalue` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetAttributeValue - get the | + | | | value of attributes of an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 266 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_getfunctionlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetFunctionList - get a | + | | | pointer to the list of | + | | | function pointers in the FIPS | + | | | mode of operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 267 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getfunctionstatus` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetFunctionStatus - get the | + | | | status of a function running | + | | | in parallel | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 268 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_getinfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetInfo - return general | + | | | information about the PKCS #11 | + | | | library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 269 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_getmechanisminfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetMechanismInfo - get | + | | | information on a particular | + | | | mechanism. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 270 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_getmechanismlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetMechanismList - get a | + | | | list of mechanism types | + | | | supported by a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 271 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_getobjectsize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetObjectSize - create a | + | | | copy of an object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 272 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getoperationstate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetOperationState - get the | + | | | cryptographic operation state | + | | | of a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 273 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_getsessioninfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSessionInfo - obtain | + | | | information about a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 274 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_getslotinfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSlotInfo - get | + | | | information about a particular | + | | | slot in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 275 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_getslotlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSlotList - Obtain a list | + | | | of slots in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 276 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_gettokeninfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetTokenInfo - obtain | + | | | information about a particular | + | | | token in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 277 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_initialize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Initialize - initialize the | + | | | PKCS #11 library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 278 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_initpin` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_InitPIN()`` - Initialize | + | | | the user's PIN. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 279 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_inittoken` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_InitToken()`` - | + | | | initialize or re-initialize a | + | | | token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 280 | :ref:`mozilla_pr | **NSS** | + | | ojects_nss_reference_fc_login` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_Login()`` - log a user | + | | | into a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 281 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_logout` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Logout - log a user out | + | | | from a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 282 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_opensession` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_OpenSession - open a | + | | | session between an application | + | | | and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 283 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_seedrandom` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_SeedRandom()`` - mix | + | | | additional seed material into | + | | | the random number generator. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 284 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_setattributevalue` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetAttributeValue - set the | + | | | values of attributes of an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 285 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_setoperationstate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetOperationState - restore | + | | | the cryptographic operation | + | | | state of a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 286 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_setpin` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetPIN - Modify the user's | + | | | PIN. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 287 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_reference_fc_sign` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Sign - sign a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 288 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_signencryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignEncryptUpdate - | + | | | continue a multi-part signing | + | | | and encryption operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 289 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_signfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignFinal - finish a | + | | | multi-part signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 290 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_reference_fc_signinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignInit - initialize a | + | | | signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 291 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_signrecover` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignRecover - Sign data in | + | | | a single recoverable | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 292 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_signrecoverinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignRecoverInit - | + | | | initialize a sign recover | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 293 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_signupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignUpdate - process the | + | | | next block of a multi-part | + | | | signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 294 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_unwrapkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_UnwrapKey - unwrap a key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 295 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_verify` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Verify - sign a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 296 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_verifyfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyFinal - finish a | + | | | multi-part verify operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 297 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_verifyinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyInit - initialize a | + | | | verification operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 298 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_verifyrecover` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyRecover - Verify data | + | | | in a single recoverable | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 299 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_verifyrecoverinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyRecoverInit - | + | | | initialize a verification | + | | | operation where data is | + | | | recoverable. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 300 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_verifyupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyUpdate - process the | + | | | next block of a multi-part | + | | | verify operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 301 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_waitforslotevent` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_WaitForSlotEvent - waits | + | | | for a slot event, such as | + | | | token insertion or token | + | | | removal, to occur. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 302 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_wrapkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_WrapKey - wrap a key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 303 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_nsc_inittoken` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``NSC_InitToken()`` - | + | | | initialize or re-initialize a | + | | | token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 304 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_nsc_login` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``NSC_Login()`` - log a user | + | | | into a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 305 | :ref:`mozilla_projects | | + | | _nss_reference_nspr_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | `NSPR `__ | + | | | is a platform abstraction | + | | | library that provides a | + | | | cross-platform API to common | + | | | OS services. NSS uses NSPR | + | | | internally as the porting | + | | | layer. However, a small | + | | | number of NSPR functions are | + | | | required for using the | + | | | certificate verification and | + | | | SSL functions in NSS. These | + | | | NSPR functions are listed in | + | | | this section. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 306 | :re | **NSS** | + | | f:`mozilla_projects_nss_refere | | + | | nce_nss_certificate_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | functions and related types | + | | | used to work with a | + | | | certificate database such as | + | | | the cert8.db database provided | + | | | with NSS. This was converted | + | | | from `"Chapter 5: Certificate | + | | | Functions" `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 307 | :r | **NSS** | + | | ef:`mozilla_projects_nss_refer | | + | | ence_nss_cryptographic_module` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | data types and functions that | + | | | one can use to perform | + | | | cryptographic operations with | + | | | the NSS cryptographic module. | + | | | The NSS cryptographic module | + | | | uses the industry standard | + | | | `PKCS | + | | | #11 `__ | + | | | v2.20 as its API with some | + | | | extensions. Therefore, an | + | | | application that supports PKCS | + | | | #11 cryptographic tokens can | + | | | be easily modified to use the | + | | | NSS cryptographic module. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 308 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_nss_cryptographic_ | | + | | module_fips_mode_of_operation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These functions manage | + | | | certificates and keys. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 309 | :re | **NSS** | + | | f:`mozilla_projects_nss_refere | | + | | nce_nss_environment_variables` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These environment variables | + | | | affect the RUN TIME behavior | + | | | of NSS shared libraries. There | + | | | is a separate set of | + | | | environment variables that | + | | | affect how NSS is built, | + | | | documented below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 310 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_nss_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page lists all exported | + | | | functions in NSS 3.11.7 It was | + | | | ported from | + | | | `here `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 311 | :ref:`mozilla_projects | | + | | _nss_reference_nss_initialize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS_Initialize - initialize | + | | | NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 312 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_nss_key_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes two | + | | | functions used to manipulate | + | | | private keys and key databases | + | | | such as the key3.db database | + | | | provided with NSS. This was | + | | | converted from `"Chapter 6: | + | | | Key | + | | | Functions" `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 313 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | certutil — Manage keys and | + | | | certificate in both NSS | + | | | databases and other NSS tokens | + | | | Synopsis | + | | | certutil [options] | + | | | [[arguments]] | + | | | Description | + | | | The Certificate Database | + | | | Tool, certutil, is a | + | | | command-line utility | + | | | that can create and modify | + | | | certificate and key databases. | + | | | It can specifically list, | + | | | generate, modify, or delete | + | | | certificates, create or | + | | | change the password, | + | | | generate new public and | + | | | private key pairs, | + | | | display the contents of the | + | | | key database, or delete key | + | | | pairs within the key | + | | | database. | + | | | Certificate issuance, part | + | | | of the key and certificate | + | | | management process, requires | + | | | that | + | | | keys and certificates be | + | | | created in the key database. | + | | | This document discusses | + | | | certificate | + | | | and key database | + | | | management. For information on | + | | | the security module database | + | | | management, | + | | | see the modutil manpage. | + | | | Options and Arguments | + | | | Running certutil always | + | | | requires one and only one | + | | | command option to | + | | | specify the type of | + | | | certificate operation. Each | + | | | option may take arguments, | + | | | anywhere from none to | + | | | multiple arguments. The | + | | | command option -H will list | + | | | all the command options | + | | | available and their relevant | + | | | arguments. | + | | | Command Options | + | | | -A | + | | | Add an existing | + | | | certificate to a certificate | + | | | database. | + | | | The certificate | + | | | database should already exist; | + | | | if one is | + | | | not present, this | + | | | command option will initialize | + | | | one by default. | + | | | -B | + | | | Run a series of | + | | | commands from the specified | + | | | batch file. | + | | | This requires the -i | + | | | argument. | + | | | -C | + | | | Create a new binary | + | | | certificate file from a binary | + | | | certificate request | + | | | file. Use the -i argument to | + | | | specify | + | | | the certificate | + | | | request file. If this argument | + | | | is not | + | | | used, certutil | + | | | prompts for a filename. | + | | | -D | + | | | Delete a certificate | + | | | from the certificate database. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 314 | :ref:`mozilla_projects_nss_ | | + | | reference_nss_tools_:_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 315 | :ref:`mozilla_projects_nss_ | **Reference** | + | | reference_nss_tools_:_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 316 | :ref:`mozilla_projects_nss_ | **Mozilla, NSS, Reference, | + | | reference_nss_tools_:_modutil` | Security, Tools, Utilities, | + | | | modutil** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 317 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS tools : pk12util | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 318 | :ref:`mozilla_projects_nss | | + | | _reference_nss_tools_:_ssltab` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 319 | :ref:`mozilla_projects_nss | | + | | _reference_nss_tools_:_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 320 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_vfychain` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 321 | :ref:`mozilla_projects_nss_ | | + | | reference_nss_tools_:_vfyserv` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 322 | :ref:`mozilla_pro | | + | | jects_nss_reference_nss_tools` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | certutil | + | | | :ref:`mozilla_projects_nss_r | + | | | eference_nss_tools_:_certutil` | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 323 | :ref:`mozilla_projec | | + | | ts_nss_reference_troubleshoot` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 324 | :ref:`mozil | | + | | la_projects_nss_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page lists release notes | + | | | for older versions of NSS. | + | | | See :ref:`mozi | + | | | lla_projects_nss_nss_releases` | + | | | :ref:`mozi | + | | | lla_projects_nss_nss_releases` | + | | | for recent release notes. The | + | | | links below are provided for | + | | | historical information. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 325 | :ref:`mozilla_ | **NSS** | + | | projects_nss_s_mime_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform S/MIME operations | + | | | using the `S/MIME | + | | | Toolkit `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 326 | :ref:`mozil | **NSS** | + | | la_projects_nss_ssl_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here are used to configure | + | | | sockets for communication via | + | | | the SSL and TLS protocols. In | + | | | addition to the functions | + | | | listed here, applications that | + | | | support SSL use some of the | + | | | Certificate functions, Crypto | + | | | functions, and Utility | + | | | functions described below on | + | | | this page. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 327 | :ref:`mozilla_pro | | + | | jects_nss_ssl_functions_gtstd` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes how to | + | | | set up your environment, | + | | | including certificate and key | + | | | databases. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 328 | :ref:`mozilla_projects_nss_ss | **NSS** | + | | l_functions_old_ssl_reference` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *New | + | | | sgroup:*\ `mozilla.dev.tech.cr | + | | | ypto `__\ * | + | | | Writer: Sean Cotter | + | | | Manager: Wan-Teh Chang* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 329 | :ref:`mozilla_pro | | + | | jects_nss_ssl_functions_pkfnc` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 330 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslcrt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 331 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslerr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 332 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslfnc` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 333 | :ref:`mozilla_projec | | + | | ts_nss_ssl_functions_sslintro` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | SSL and related APIs allow | + | | | compliant applications to | + | | | configure sockets for | + | | | authenticated, tamper-proof, | + | | | and encrypted communications. | + | | | This chapter introduces some | + | | | of the basic SSL functions. | + | | | `Chapter 2, "Getting Started | + | | | With | + | | | SSL" `__ | + | | | illustrates their use in | + | | | sample client and server | + | | | applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 334 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 335 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_ssltyp` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 336 | :ref:`mozilla_projects_n | **NSS** | + | | ss_tls_cipher_suite_discovery` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | In order to communicate | + | | | securely, an TLS client and | + | | | TLS server must agree on the | + | | | cryptographic algorithms and | + | | | keys that they will both use | + | | | on the secured connection. | + | | | They must agree on these | + | | | items: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 337 | :re | **NSS** | + | | f:`mozilla_projects_nss_tools` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 338 | :ref:`mozill | | + | | a_projects_nss_tools_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | certutil — Manage keys and | + | | | certificate in the NSS | + | | | database. | + | | | Synopsis | + | | | certutil [options] | + | | | `arguments `__ | + | | | Description | + | | | The Certificate Database | + | | | Tool, certutil, is a | + | | | command-line utility that | + | | | can create and modify | + | | | certificate and key database | + | | | files. It can also | + | | | list, generate, modify, or | + | | | delete certificates within the | + | | | database, create | + | | | or change the password, | + | | | generate new public and | + | | | private key pairs, display | + | | | the contents of the key | + | | | database, or delete key pairs | + | | | within the key | + | | | database. | + | | | The key and certificate | + | | | management process generally | + | | | begins with creating | + | | | keys in the key database, | + | | | then generating and managing | + | | | certificates in the | + | | | certificate database. This | + | | | document discusses certificate | + | | | and key database | + | | | management. For information | + | | | security module database | + | | | management, see the | + | | | modutil manpages. | + | | | Options and Arguments | + | | | Running certutil always | + | | | requires one (and only one) | + | | | option to specify the | + | | | type of certificate | + | | | operation. Each option may | + | | | take arguments, anywhere | + | | | from none to multiple | + | | | arguments. Run the command | + | | | option and -H to see the | + | | | arguments available for | + | | | each command option. | + | | | Options | + | | | Options specify an action | + | | | and are uppercase. | + | | | -A | + | | | Add an existing | + | | | certificate to a certificate | + | | | database. The | + | | | certificate | + | | | database should already exist; | + | | | if one is not present, | + | | | this option will | + | | | initialize one by default. | + | | | -B | + | | | Run a series of | + | | | commands from the specified | + | | | batch file. This | + | | | requires the -i | + | | | argument. | + | | | -C | + | | | Create a new binary | + | | | certificate file from a binary | + | | | certificate | + | | | request file. Use | + | | | the -i argument to specify the | + | | | certificate | + | | | request file. If | + | | | this argument is not used, | + | | | certutil prompts for a | + | | | filename. | + | | | -D | + | | | Delete a | + | | | certificate from the | + | | | certificate database. | + | | | -E | + | | | Add an email | + | | | certificate to the certificate | + | | | database. | + | | | -F | + | | | Delete a private | + | | | key from a key database. | + | | | Specify the key to | + | | | delete with the -n | + | | | argument. Specify the database | + | | | from which to | + | | | delete the key with | + | | | the -d argument. Use the -k | + | | | argument to | + | | | specify explicitly | + | | | whether to delete a DSA, RSA, | + | | | or ECC key. If | + | | | you don't use the | + | | | -k argument, the option looks | + | | | for an RSA key | + | | | matching the | + | | | specified nickname. | + | | | When you delete | + | | | keys, be sure to also remove | + | | | any certificates | + | | | associated with | + | | | those keys from the | + | | | certificate database, by using | + | | | -D. Some smart | + | | | cards (for example, the | + | | | Litronic card) do not let | + | | | you remove a public | + | | | key you have generated. In | + | | | such a case, only | + | | | the private key is | + | | | deleted from the key pair. You | + | | | can display the | + | | | public key with the | + | | | command certutil -K -h | + | | | tokenname. | + | | | -G | + | | | Generate a new | + | | | public and private key pair | + | | | within a key database. | + | | | The key database | + | | | should already exist; if one | + | | | is not present, this | + | | | option will | + | | | initialize one by default. | + | | | Some smart cards (for | + | | | example, the | + | | | Litronic card) can store only | + | | | one key pair. If you | + | | | create a new key | + | | | pair for such a card, the | + | | | previous pair is | + | | | overwritten. | + | | | -H | + | | | Display a list of | + | | | the options and arguments used | + | | | by the | + | | | Certificate | + | | | Database Tool. | + | | | -K | + | | | List the key ID of | + | | | keys in the key database. A | + | | | key ID is the | + | | | modulus of the RSA | + | | | key or the publicValue of the | + | | | DSA key. IDs are | + | | | displayed in | + | | | hexadecimal ("0x" is not | + | | | shown). | + | | | -L | + | | | List all the | + | | | certificates, or display | + | | | information about a named | + | | | certificate, in a | + | | | certificate database. Use the | + | | | -h tokenname | + | | | argument to specify | + | | | the certificate database on a | + | | | particular | + | | | hardware or | + | | | software token. | + | | | -M | + | | | Modify a | + | | | certificate's trust attributes | + | | | using the values of the -t | + | | | argument. | + | | | -N | + | | | Create new | + | | | certificate and key databases. | + | | | -O | + | | | Print the | + | | | certificate chain. | + | | | -R | + | | | Create a | + | | | certificate request file that | + | | | can be submitted to a | + | | | Certificate | + | | | Authority (CA) for processing | + | | | into a finished | + | | | certificate. Output | + | | | defaults to standard out | + | | | unless you use -o | + | | | output-file | + | | | argument. Use the -a argument | + | | | to specify ASCII output. | + | | | -S | + | | | Create an | + | | | individual certificate and add | + | | | it to a certificate | + | | | database. | + | | | -T | + | | | Reset the key | + | | | database or token. | + | | | -U | + | | | List all available | + | | | modules or print a single | + | | | named module. | + | | | -V | + | | | Check the validity | + | | | of a certificate and its | + | | | attributes. | + | | | -W | + | | | Change the password | + | | | to a key database. | + | | | --merge | + | | | Merge a source | + | | | database into the target | + | | | database. This is used to | + | | | merge legacy NSS | + | | | databases (cert8.db and | + | | | key3.db) into the newer | + | | | SQLite databases | + | | | (cert9.db and key4.db). | + | | | --upgrade-merge | + | | | Upgrade an old | + | | | database and merge it into a | + | | | new database. This is | + | | | used to migrate | + | | | legacy NSS databases (cert8.db | + | | | and key3.db) into | + | | | the newer SQLite | + | | | databases (cert9.db and | + | | | key4.db). | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -a | + | | | Use ASCII format or | + | | | allow the use of ASCII format | + | | | for input or | + | | | output. This | + | | | formatting follows RFC 1113. | + | | | For certificate | + | | | requests, ASCII | + | | | output defaults to standard | + | | | output unless | + | | | redirected. | + | | | -b validity-time | + | | | Specify a time at | + | | | which a certificate is | + | | | required to be valid. Use | + | | | when checking | + | | | certificate validity with the | + | | | -V option. The format | + | | | of the | + | | | validity-time argument is | + | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | + | | | which allows | + | | | offsets to be set relative to | + | | | the validity end time. | + | | | Specifying seconds | + | | | (SS) is optional. When | + | | | specifying an explicit | + | | | time, use a Z at | + | | | the end of the term, | + | | | YYMMDDHHMMSSZ, to close it. | + | | | When specifying an | + | | | offset time, use | + | | | YYMMDDHHMMSS+HHMM or | + | | | YYMMDDHHMMSS-HHMM | + | | | for adding or subtracting | + | | | time, respectively. | + | | | If this option is | + | | | not used, the validity check | + | | | defaults to the | + | | | current system | + | | | time. | + | | | -c issuer | + | | | Identify the | + | | | certificate of the CA from | + | | | which a new certificate | + | | | will derive its | + | | | authenticity. Use the exact | + | | | nickname or alias of | + | | | the CA certificate, | + | | | or use the CA's email address. | + | | | Bracket the | + | | | issuer string with | + | | | quotation marks if it contains | + | | | spaces. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory containing | + | | | the certificate and key | + | | | database files. | + | | | certutil supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -e | + | | | Check a | + | | | certificate's signature during | + | | | the process of validating a | + | | | certificate. | + | | | -f password-file | + | | | Specify a file that | + | | | will automatically supply the | + | | | password to | + | | | include in a | + | | | certificate or to access a | + | | | certificate database. This | + | | | is a plain-text | + | | | file containing one password. | + | | | Be sure to prevent | + | | | unauthorized access | + | | | to this file. | + | | | -g keysize | + | | | Set a key size to | + | | | use when generating new public | + | | | and private key | + | | | pairs. The minimum | + | | | is 512 bits and the maximum is | + | | | 8192 bits. The | + | | | default is 1024 | + | | | bits. Any size between the | + | | | minimum and maximum is | + | | | allowed. | + | | | -h tokenname | + | | | Specify the name of | + | | | a token to use or act on. | + | | | Unless specified | + | | | otherwise the | + | | | default token is an internal | + | | | slot (specifically, | + | | | internal slot 2). | + | | | This slot can also be | + | | | explicitly named with the | + | | | string "internal". | + | | | An internal slots is a virtual | + | | | slot maintained | + | | | in software, rather | + | | | than a hardware device. | + | | | Internal slot 2 is | + | | | used by key and | + | | | certificate services. Internal | + | | | slot 1 is used by | + | | | cryptographic | + | | | services. | + | | | -i input_file | + | | | Pass an input file | + | | | to the command. Depending on | + | | | the command | + | | | option, an input | + | | | file can be a specific | + | | | certificate, a certificate | + | | | request file, or a | + | | | batch file of commands. | + | | | -k rsa|dsa|ec|all | + | | | Specify the type of | + | | | a key. The valid options are | + | | | RSA, DSA, ECC, or | + | | | all. The default | + | | | value is rsa. Specifying the | + | | | type of key can | + | | | avoid mistakes | + | | | caused by duplicate nicknames. | + | | | -k key-type-or-id | + | | | Specify the type or | + | | | specific ID of a key. Giving a | + | | | key type | + | | | generates a new key | + | | | pair; giving the ID of an | + | | | existing key reuses | + | | | that key pair | + | | | (which is required to renew | + | | | certificates). | + | | | -l | + | | | Display detailed | + | | | information when validating a | + | | | certificate with | + | | | the -V option. | + | | | -m serial-number | + | | | Assign a unique | + | | | serial number to a certificate | + | | | being created. This | + | | | operation should be | + | | | performed by a CA. The default | + | | | serial number | + | | | is 0 (zero). Serial | + | | | numbers are limited to | + | | | integers. | + | | | -n nickname | + | | | Specify the | + | | | nickname of a certificate or | + | | | key to list, create, add | + | | | to a database, | + | | | modify, or validate. Bracket | + | | | the nickname string | + | | | with quotation | + | | | marks if it contains spaces. | + | | | -o output-file | + | | | Specify the output | + | | | file name for new certificates | + | | | or binary | + | | | certificate | + | | | requests. Bracket the | + | | | output-file string with | + | | | quotation marks if | + | | | it contains spaces. If this | + | | | argument is not | + | | | used the output | + | | | destination defaults to | + | | | standard output. | + | | | -P dbPrefix | + | | | Specify the prefix | + | | | used on the certificate and | + | | | key database file. | + | | | This option is | + | | | provided as a special case. | + | | | Changing the names of | + | | | the certificate and | + | | | key databases is not | + | | | recommended. | + | | | -p phone | + | | | Specify a contact | + | | | telephone number to include in | + | | | new certificates | + | | | or certificate | + | | | requests. Bracket this string | + | | | with quotation marks | + | | | if it contains | + | | | spaces. | + | | | -q pqgfile | + | | | Read an alternate | + | | | PQG value from the specified | + | | | file when | + | | | generating DSA key | + | | | pairs. If this argument is not | + | | | used, certutil | + | | | generates its own | + | | | PQG value. PQG files are | + | | | created with a separate | + | | | DSA utility. | + | | | -q curve-name | + | | | Set the elliptic | + | | | curve name to use when | + | | | generating ECC key pairs. | + | | | A complete list of | + | | | ECC curves is given in the | + | | | help (-H). | + | | | -r | + | | | Display a | + | | | certificate's binary DER | + | | | encoding when listing | + | | | information about | + | | | that certificate with the -L | + | | | option. | + | | | -s subject | + | | | Identify a | + | | | particular certificate owner | + | | | for new certificates or | + | | | certificate | + | | | requests. Bracket this string | + | | | with quotation marks if | + | | | it contains spaces. | + | | | The subject identification | + | | | format follows RFC | + | | | #1485. | + | | | -t trustargs | + | | | Specify the trust | + | | | attributes to modify in an | + | | | existing certificate | + | | | or to apply to a | + | | | certificate when creating it | + | | | or adding it to a | + | | | database. There are | + | | | three available trust | + | | | categories for each | + | | | certificate, | + | | | expressed in the order SSL, | + | | | email, object signing for | + | | | each trust setting. | + | | | In each category position, use | + | | | none, any, or | + | | | all of the | + | | | attribute codes: | + | | | o p - Valid peer | + | | | o P - Trusted | + | | | peer (implies p) | + | | | o c - Valid CA | + | | | o T - Trusted CA | + | | | to issue client certificates | + | | | (implies c) | + | | | o C - Trusted CA | + | | | to issue server certificates | + | | | (SSL only) | + | | | (implies c) | + | | | o u - | + | | | Certificate can be used for | + | | | authentication or signing | + | | | o w - Send | + | | | warning (use with other | + | | | attributes to include a | + | | | warning when | + | | | the certificate is used in | + | | | that context) | + | | | The attribute codes | + | | | for the categories are | + | | | separated by commas, | + | | | and the entire set | + | | | of attributes enclosed by | + | | | quotation marks. For | + | | | example: | + | | | -t "TCu,Cu,Tuw" | + | | | Use the -L option | + | | | to see a list of the current | + | | | certificates and | + | | | trust attributes in | + | | | a certificate database. | + | | | -u certusage | + | | | Specify a usage | + | | | context to apply when | + | | | validating a certificate | + | | | with the -V option. | + | | | The contexts are | + | | | the following: | + | | | o C (as an SSL | + | | | client) | + | | | o V (as an SSL | + | | | server) | + | | | o S (as an email | + | | | signer) | + | | | o R (as an email | + | | | recipient) | + | | | o O (as an OCSP | + | | | status responder) | + | | | o J (as an | + | | | object signer) | + | | | -v valid-months | + | | | Set the number of | + | | | months a new certificate will | + | | | be valid. The | + | | | validity period | + | | | begins at the current system | + | | | time unless an offset | + | | | is added or | + | | | subtracted with the -w option. | + | | | If this argument is not | + | | | used, the default | + | | | validity period is three | + | | | months. When this | + | | | argument is used, | + | | | the default three-month period | + | | | is automatically | + | | | added to any value | + | | | given in the valid-month | + | | | argument. For example, | + | | | using this option | + | | | to set a value of 3 would | + | | | cause 3 to be added to | + | | | the three-month | + | | | default, creating a validity | + | | | period of six months. | + | | | You can use | + | | | negative values to reduce the | + | | | default period. For | + | | | example, setting a | + | | | value of -2 would subtract 2 | + | | | from the default | + | | | and create a | + | | | validity period of one month. | + | | | -w offset-months | + | | | Set an offset from | + | | | the current system time, in | + | | | months, for the | + | | | beginning of a | + | | | certificate's validity period. | + | | | Use when creating | + | | | the certificate or | + | | | adding it to a database. | + | | | Express the offset in | + | | | integers, using a | + | | | minus sign (-) to indicate a | + | | | negative offset. If | + | | | this argument is | + | | | not used, the validity period | + | | | begins at the | + | | | current system | + | | | time. The length of the | + | | | validity period is set with | + | | | the -v argument. | + | | | -X | + | | | Force the key and | + | | | certificate database to open | + | | | in read-write mode. | + | | | This is used with | + | | | the -U and -L command options. | + | | | -x | + | | | Use certutil to | + | | | generate the signature for a | + | | | certificate being | + | | | created or added to | + | | | a database, rather than | + | | | obtaining a signature | + | | | from a separate CA. | + | | | -y exp | + | | | Set an alternate | + | | | exponent value to use in | + | | | generating a new RSA | + | | | public key for the | + | | | database, instead of the | + | | | default value of | + | | | 65537. The | + | | | available alternate values are | + | | | 3 and 17. | + | | | -z noise-file | + | | | Read a seed value | + | | | from the specified file to | + | | | generate a new | + | | | private and public | + | | | key pair. This argument makes | + | | | it possible to | + | | | use | + | | | hardware-generated seed values | + | | | or manually create a value | + | | | from | + | | | the keyboard. The | + | | | minimum file size is 20 bytes. | + | | | -0 SSO_password | + | | | Set a site security | + | | | officer password on a token. | + | | | -1 \| --keyUsage | + | | | keyword,keyword | + | | | Set a Netscape | + | | | Certificate Type Extension in | + | | | the certificate. | + | | | There are several | + | | | available keywords: | + | | | o digital | + | | | signature | + | | | o nonRepudiation | + | | | | + | | | o keyEncipherment | + | | | | + | | | o dataEncipherment | + | | | o keyAgreement | + | | | o certSigning | + | | | o crlSigning | + | | | o critical | + | | | -2 | + | | | Add a basic | + | | | constraint extension to a | + | | | certificate that is being | + | | | created or added to | + | | | a database. This extension | + | | | supports the | + | | | certificate chain | + | | | verification process. certutil | + | | | prompts for the | + | | | certificate | + | | | constraint extension to | + | | | select. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -3 | + | | | Add an authority | + | | | key ID extension to a | + | | | certificate that is being | + | | | created or added to | + | | | a database. This extension | + | | | supports the | + | | | identification of a | + | | | particular certificate, from | + | | | among multiple | + | | | certificates | + | | | associated with one subject | + | | | name, as the correct | + | | | issuer of a | + | | | certificate. The Certificate | + | | | Database Tool will prompt | + | | | you to select the | + | | | authority key ID extension. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -4 | + | | | Add a CRL | + | | | distribution point extension | + | | | to a certificate that is | + | | | being created or | + | | | added to a database. This | + | | | extension identifies | + | | | the URL of a | + | | | certificate's associated | + | | | certificate revocation list | + | | | (CRL). certutil | + | | | prompts for the URL. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -5 \| --nsCertType | + | | | keyword,keyword | + | | | Add a Netscape | + | | | certificate type extension to | + | | | a certificate that is | + | | | being created or | + | | | added to the database. There | + | | | are several | + | | | available keywords: | + | | | o sslClient | + | | | o sslServer | + | | | o smime | + | | | o objectSigning | + | | | o sslCA | + | | | o smimeCA | + | | | | + | | | o objectSigningCA | + | | | o critical | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -6 \| --extKeyUsage | + | | | keyword,keyword | + | | | Add an extended key | + | | | usage extension to a | + | | | certificate that is being | + | | | created or added to | + | | | the database. Several keywords | + | | | are available: | + | | | o serverAuth | + | | | o clientAuth | + | | | o codeSigning | + | | | | + | | | o emailProtection | + | | | o timeStamp | + | | | o ocspResponder | + | | | o stepUp | + | | | o critical | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -7 emailAddrs | + | | | Add a | + | | | comma-separated list of email | + | | | addresses to the subject | + | | | alternative name | + | | | extension of a certificate or | + | | | certificate request | + | | | that is being | + | | | created or added to the | + | | | database. Subject | + | | | alternative name | + | | | extensions are described in | + | | | Section 4.2.1.7 of | + | | | RFC 3280. | + | | | -8 dns-names | + | | | Add a | + | | | comma-separated list of DNS | + | | | names to the subject | + | | | alternative | + | | | name extension of a | + | | | certificate or certificate | + | | | request that is | + | | | being created or | + | | | added to the database. Subject | + | | | alternative name | + | | | extensions are | + | | | described in Section 4.2.1.7 | + | | | of RFC 3280. | + | | | --extAIA | + | | | Add the Authority | + | | | Information Access extension | + | | | to the certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extSIA | + | | | Add the Subject | + | | | Information Access extension | + | | | to the certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extCP | + | | | Add the Certificate | + | | | Policies extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extPM | + | | | Add the Policy | + | | | Mappings extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extPC | + | | | Add the Policy | + | | | Constraints extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extIA | + | | | Add the Inhibit Any | + | | | Policy Access extension to the | + | | | certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extSKID | + | | | Add the Subject Key | + | | | ID extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --source-dir certdir | + | | | Identify the | + | | | certificate database directory | + | | | to upgrade. | + | | | --source-prefix certdir | + | | | Give the prefix of | + | | | the certificate and key | + | | | databases to upgrade. | + | | | --upgrade-id uniqueID | + | | | Give the unique ID | + | | | of the database to upgrade. | + | | | --upgrade-token-name name | + | | | Set the name of the | + | | | token to use while it is being | + | | | upgraded. | + | | | -@ pwfile | + | | | Give the name of a | + | | | password file to use for the | + | | | database being | + | | | upgraded. | + | | | Usage and Examples | + | | | Most of the command options | + | | | in the examples listed here | + | | | have more | + | | | arguments available. The | + | | | arguments included in these | + | | | examples are the most | + | | | common ones or are used to | + | | | illustrate a specific | + | | | scenario. Use the -H | + | | | option to show the complete | + | | | list of arguments for each | + | | | command option. | + | | | Creating New Security | + | | | Databases | + | | | Certificates, keys, and | + | | | security modules related to | + | | | managing certificates | + | | | are stored in three related | + | | | databases: | + | | | o cert8.db or cert9.db | + | | | o key3.db or key4.db | + | | | o secmod.db or pkcs11.txt | + | | | These databases must be | + | | | created before certificates or | + | | | keys can be | + | | | generated. | + | | | certutil -N -d | + | | | [sql:]directory | + | | | Creating a Certificate | + | | | Request | + | | | A certificate request | + | | | contains most or all of the | + | | | information that is used | + | | | to generate the final | + | | | certificate. This request is | + | | | submitted separately to | + | | | a certificate authority and | + | | | is then approved by some | + | | | mechanism | + | | | (automatically or by human | + | | | review). Once the request is | + | | | approved, then the | + | | | certificate is generated. | + | | | $ certutil -R -k | + | | | key-type-or-id [-q | + | | | pqgfile|curve-name] -g | + | | | key-size -s subject [-h | + | | | tokenname] -d [sql:]directory | + | | | [-p phone] [-o output-file] | + | | | [-a] | + | | | The -R command options | + | | | requires four arguments: | + | | | o -k to specify either | + | | | the key type to generate or, | + | | | when renewing a | + | | | certificate, the | + | | | existing key pair to use | + | | | o -g to set the keysize | + | | | of the key to generate | + | | | o -s to set the subject | + | | | name of the certificate | + | | | o -d to give the security | + | | | database directory | + | | | The new certificate request | + | | | can be output in ASCII format | + | | | (-a) or can be | + | | | written to a specified file | + | | | (-o). | + | | | For example: | + | | | $ certutil -R -k ec -q | + | | | nistb409 -g 512 -s "CN=John | + | | | Smith,O=Example | + | | | Corp,L=Mountain | + | | | View,ST=California,C=US" -d | + | | | sql:/home/my/sharednssdb -p | + | | | 650-555-0123 -a -o cert.cer | + | | | Generating key. This may | + | | | take a few moments... | + | | | Certificate request generated | + | | | by Netscape | + | | | Phone: 650-555-0123 | + | | | Common Name: John Smith | + | | | Email: (not ed) | + | | | Organization: Example Corp | + | | | State: California | + | | | Country: US | + | | | -----BEGIN NEW CERTIFICATE | + | | | REQUEST----- | + | | | MIIB | + | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | + | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | + | | | MBQG | + | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | + | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | + | | | EQYD | + | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | + | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | + | | | KmHn | + | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | + | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | + | | | CzdU | + | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | + | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | + | | | qmty | + | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | + | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | + | | | 1hP9Gg== | + | | | -----END NEW CERTIFICATE | + | | | REQUEST----- | + | | | Creating a Certificate | + | | | A valid certificate must be | + | | | issued by a trusted CA. This | + | | | can be done by | + | | | specifying a CA certificate | + | | | (-c) that is stored in the | + | | | certificate | + | | | database. If a CA key pair | + | | | is not available, you can | + | | | create a self-signed | + | | | certificate using the -x | + | | | argument with the -S command | + | | | option. | + | | | $ certutil -S -k rsa|dsa|ec | + | | | -n certname -s subject [-c | + | | | issuer \|-x] -t trustargs -d | + | | | [sql:]directory [-m | + | | | serial-number] [-v | + | | | valid-months] [-w | + | | | offset-months] [-p phone] [-1] | + | | | [-2] [-3] [-4] [-5 keyword] | + | | | [-6 keyword] [-7 emailAddress] | + | | | [-8 dns-names] [--extAIA] | + | | | [--extSIA] [--extCP] [--extPM] | + | | | [--extPC] [--extIA] | + | | | [--extSKID] | + | | | The series of numbers and | + | | | --ext\* options set | + | | | certificate extensions that | + | | | can be added to the | + | | | certificate when it is | + | | | generated by the CA. | + | | | For example, this creates a | + | | | self-signed certificate: | + | | | $ certutil -S -s "CN=Example | + | | | CA" -n my-ca-cert -x -t | + | | | "C,C,C" -1 -2 -5 -m 3650 | + | | | From there, new | + | | | certificates can reference the | + | | | self-signed certificate: | + | | | $ certutil -S -s "CN=My | + | | | Server Cert" -n my-server-cert | + | | | -c "my-ca-cert" -t "u,u,u" -1 | + | | | -5 -6 -8 -m 730 | + | | | Generating a Certificate | + | | | from a Certificate Request | + | | | When a certificate request | + | | | is created, a certificate can | + | | | be generated by | + | | | using the request and then | + | | | referencing a certificate | + | | | authority signing | + | | | certificate (the issuer | + | | | specified in the -c argument). | + | | | The issuing | + | | | certificate must be in the | + | | | certificate database in the | + | | | specified | + | | | directory. | + | | | certutil -C -c issuer -i | + | | | cert-request-file -o | + | | | output-file [-m serial-number] | + | | | [-v valid-months] [-w | + | | | offset-months] -d | + | | | [sql:]directory [-1] [-2] [-3] | + | | | [-4] [-5 keyword] [-6 keyword] | + | | | [-7 emailAddress] [-8 | + | | | dns-names] | + | | | For example: | + | | | $ certutil -C -c "my-ca-cert" | + | | | -i /home/certs/cert.req -o | + | | | cert.cer -m 010 -v 12 -w 1 -d | + | | | sql:/home/my/sharednssdb -1 | + | | | n | + | | | onRepudiation,dataEncipherment | + | | | -5 sslClient -6 clientAuth -7 | + | | | jsmith@example.com | + | | | Generating Key Pairs | + | | | Key pairs are generated | + | | | automatically with a | + | | | certificate request or | + | | | certificate, but they can | + | | | also be generated | + | | | independently using the -G | + | | | command option. | + | | | certutil -G -d | + | | | [sql:]directory \| -h | + | | | tokenname -k key-type -g | + | | | key-size [-y exponent-value] | + | | | -q pqgfile|curve-name | + | | | For example: | + | | | $ certutil -G -h lunasa -k ec | + | | | -g 256 -q sect193r2 | + | | | Listing Certificates | + | | | The -L command option lists | + | | | all of the certificates listed | + | | | in the | + | | | certificate database. The | + | | | path to the directory (-d) is | + | | | required. | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb | + | | | Certificate | + | | | Nickname | + | | | | + | | | Trust Attributes | + | | | | + | | | | + | | | | + | | | SSL,S/MIME,JAR/XPI | + | | | CA Administrator of Instance | + | | | pki-ca1's Example Domain | + | | | ID u,u,u | + | | | TPS Administrator's Example | + | | | Domain | + | | | ID | + | | | u,u,u | + | | | Google Internet | + | | | Authority | + | | | | + | | | ,, | + | | | Certificate Authority - | + | | | Example | + | | | Domain | + | | | CT,C,C | + | | | Using additional arguments | + | | | with -L can return and print | + | | | the information | + | | | for a single, specific | + | | | certificate. For example, the | + | | | -n argument passes | + | | | the certificate name, while | + | | | the -a argument prints the | + | | | certificate in | + | | | ASCII format: | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb -a -n | + | | | "Certificate Authority - | + | | | Example Domain" | + | | | -----BEGIN CERTIFICATE----- | + | | | MIID | + | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | + | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | + | | | cGxl | + | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | + | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | + | | | MDQy | + | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | + | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | + | | | b21h | + | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | + | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | + | | | hvcN | + | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | + | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | + | | | Tmri | + | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | + | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | + | | | Rnel | + | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | + | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | + | | | udeW | + | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | + | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | + | | | bP4i | + | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | + | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | + | | | 3V0A | + | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | + | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | + | | | qDAf | + | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | + | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | + | | | AQH/ | + | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | + | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | + | | | rRcw | + | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | + | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | + | | | Lmxv | + | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | + | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | + | | | L3XO | + | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | + | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | + | | | lRxd | + | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | + | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | + | | | JBDx | + | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | + | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | + | | | bfu/ | + | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | + | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | + | | | U0uj | + | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | + | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | + | | | nI7q5n1USM3eWQlVXw== | + | | | -----END CERTIFICATE----- | + | | | Listing Keys | + | | | Keys are the original | + | | | material used to encrypt | + | | | certificate data. The keys | + | | | generated for certificates | + | | | are stored separately, in the | + | | | key database. | + | | | To list all keys in the | + | | | database, use the -K command | + | | | option and the | + | | | (required) -d argument to | + | | | give the path to the | + | | | directory. | + | | | $ certutil -K -d | + | | | sql:/home/my/sharednssdb | + | | | certutil: Checking token "NSS | + | | | Certificate DB" in slot "NSS | + | | | User Private Key and | + | | | Certificate | + | | | Services " | + | | | < 0> rsa | + | | | 455a6673bde9 | + | | | 375c2887ec8bf8016b3f9f35861d | + | | | Thawte Freemail Member's | + | | | Thawte Consulting (Pty) Ltd. | + | | | ID | + | | | < 1> rsa | + | | | 40defeeb522a | + | | | de11090eacebaaf1196a172127df | + | | | Example Domain Administrator | + | | | Cert | + | | | < 2> rsa | + | | | 1d0b06f44f6c | + | | | 03842f7d4f4a1dc78b3bcd1b85a5 | + | | | John Smith user cert | + | | | There are ways to narrow | + | | | the keys listed in the search | + | | | results: | + | | | o To return a specific | + | | | key, use the -n name argument | + | | | with the name of | + | | | the key. | + | | | o If there are multiple | + | | | security devices loaded, then | + | | | the -h tokenname | + | | | argument can search a | + | | | specific token or all tokens. | + | | | o If there are multiple | + | | | key types available, then the | + | | | -k key-type | + | | | argument can search a | + | | | specific type of key, like | + | | | RSA, DSA, or ECC. | + | | | Listing Security Modules | + | | | The devices that can be | + | | | used to store certificates -- | + | | | both internal | + | | | databases and external | + | | | devices like smart cards -- | + | | | are recognized and used | + | | | by loading security | + | | | modules. The -U command option | + | | | lists all of the | + | | | security modules listed in | + | | | the secmod.db database. The | + | | | path to the | + | | | directory (-d) is required. | + | | | $ certutil -U -d | + | | | sql:/home/my/sharednssdb | + | | | slot: NSS User Private | + | | | Key and Certificate Services | + | | | token: NSS Certificate DB | + | | | slot: NSS Internal | + | | | Cryptographic Services | + | | | token: NSS Generic Crypto | + | | | Services | + | | | Adding Certificates to the | + | | | Database | + | | | Existing certificates or | + | | | certificate requests can be | + | | | added manually to the | + | | | certificate database, even | + | | | if they were generated | + | | | elsewhere. This uses the | + | | | -A command option. | + | | | certutil -A -n certname -t | + | | | trustargs -d [sql:]directory | + | | | [-a] [-i input-file] | + | | | For example: | + | | | $ certutil -A -n "CN=My SSL | + | | | Certificate" -t "u,u,u" -d | + | | | sql:/home/my/sharednssdb -i | + | | | /home/example-certs/cert.cer | + | | | A related command option, | + | | | -E, is used specifically to | + | | | add email | + | | | certificates to the | + | | | certificate database. The -E | + | | | command has the same | + | | | arguments as the -A | + | | | command. The trust arguments | + | | | for certificates have the | + | | | format | + | | | SSL,S/MIME,Code-signing, so | + | | | the middle trust settings | + | | | relate most | + | | | to email certificates | + | | | (though the others can be | + | | | set). For example: | + | | | $ certutil -E -n "CN=John | + | | | Smith Email Cert" -t ",Pu," -d | + | | | sql:/home/my/sharednssdb -i | + | | | /home/example-certs/email.cer | + | | | Deleting Certificates to | + | | | the Database | + | | | Certificates can be deleted | + | | | from a database using the -D | + | | | option. The only | + | | | required options are to | + | | | give the security database | + | | | directory and to | + | | | identify the certificate | + | | | nickname. | + | | | certutil -D -d | + | | | [sql:]directory -n "nickname" | + | | | For example: | + | | | $ certutil -D -d | + | | | sql:/home/my/sharednssdb -n | + | | | "my-ssl-cert" | + | | | Validating Certificates | + | | | A certificate contains an | + | | | expiration date in itself, and | + | | | expired | + | | | certificates are easily | + | | | rejected. However, | + | | | certificates can also be | + | | | revoked before they hit | + | | | their expiration date. | + | | | Checking whether a | + | | | certificate has been | + | | | revoked requires validating | + | | | the certificate. | + | | | Validation can also be used | + | | | to ensure that the certificate | + | | | is only used | + | | | for the purposes it was | + | | | initially issued for. | + | | | Validation is carried out by | + | | | the -V command option. | + | | | certutil -V -n | + | | | certificate-name [-b time] | + | | | [-e] [-u cert-usage] -d | + | | | [sql:]directory | + | | | For example, to validate an | + | | | email certificate: | + | | | $ certutil -V -n "John | + | | | Smith's Email Cert" -e -u S,R | + | | | -d sql:/home/my/sharednssdb | + | | | Modifying Certificate Trust | + | | | Settings | + | | | The trust settings (which | + | | | relate to the operations that | + | | | a certificate is | + | | | allowed to be used for) can | + | | | be changed after a certificate | + | | | is created or | + | | | added to the database. This | + | | | is especially useful for CA | + | | | certificates, but | + | | | it can be performed for any | + | | | type of certificate. | + | | | certutil -M -n | + | | | certificate-name -t trust-args | + | | | -d [sql:]directory | + | | | For example: | + | | | $ certutil -M -n "My CA | + | | | Certificate" -d | + | | | sql:/home/my/sharednssdb -t | + | | | "CTu,CTu,CTu" | + | | | Printing the Certificate | + | | | Chain | + | | | Certificates can be issued | + | | | in chains because every | + | | | certificate authority | + | | | itself has a certificate; | + | | | when a CA issues a | + | | | certificate, it essentially | + | | | stamps that certificate | + | | | with its own fingerprint. The | + | | | -O prints the full | + | | | chain of a certificate, | + | | | going from the initial CA (the | + | | | root CA) through | + | | | ever intermediary CA to the | + | | | actual certificate. For | + | | | example, for an email | + | | | certificate with two CAs in | + | | | the chain: | + | | | $ certutil -d | + | | | sql:/home/my/sharednssdb -O -n | + | | | "jsmith@example.com" | + | | | "Builtin Object Token:Thawte | + | | | Personal Freemail CA" | + | | | [E=personal | + | | | -freemail@thawte.com,CN=Thawte | + | | | Personal Freemail | + | | | CA,OU=Certification Services | + | | | Division,O=Thawte | + | | | Consulting,L=Cape | + | | | Town,ST=Western Cape,C=ZA] | + | | | "Thawte Personal Freemail | + | | | Issuing CA - Thawte | + | | | Consulting" [CN=Thawte | + | | | Personal Freemail Issuing | + | | | CA,O=Thawte Consulting (Pty) | + | | | Ltd.,C=ZA] | + | | | "(null)" | + | | | [ | + | | | E=jsmith@example.com,CN=Thawte | + | | | Freemail Member] | + | | | Resetting a Token | + | | | The device which stores | + | | | certificates -- both external | + | | | hardware devices and | + | | | internal software databases | + | | | -- can be blanked and reused. | + | | | This operation | + | | | is performed on the device | + | | | which stores the data, not | + | | | directly on the | + | | | security databases, so the | + | | | location must be referenced | + | | | through the token | + | | | name (-h) as well as any | + | | | directory path. If there is no | + | | | external token | + | | | used, the default value is | + | | | internal. | + | | | certutil -T -d | + | | | [sql:]directory -h token-name | + | | | -0 security-officer-password | + | | | Many networks have | + | | | dedicated personnel who handle | + | | | changes to security | + | | | tokens (the security | + | | | officer). This person must | + | | | supply the password to | + | | | access the specified token. | + | | | For example: | + | | | $ certutil -T -d | + | | | sql:/home/my/sharednssdb -h | + | | | nethsm -0 secret | + | | | Upgrading or Merging the | + | | | Security Databases | + | | | Many networks or | + | | | applications may be using | + | | | older BerkeleyDB versions of | + | | | the certificate database | + | | | (cert8.db). Databases can be | + | | | upgraded to the new | + | | | SQLite version of the | + | | | database (cert9.db) using the | + | | | --upgrade-merge | + | | | command option or existing | + | | | databases can be merged with | + | | | the new cert9.db | + | | | databases using the | + | | | ---merge command. | + | | | The --upgrade-merge command | + | | | must give information about | + | | | the original | + | | | database and then use the | + | | | standard arguments (like -d) | + | | | to give the | + | | | information about the new | + | | | databases. The command also | + | | | requires information | + | | | that the tool uses for the | + | | | process to upgrade and write | + | | | over the original | + | | | database. | + | | | certutil --upgrade-merge -d | + | | | [sql:]directory [-P dbprefix] | + | | | --source-dir directory | + | | | --source-prefix dbprefix | + | | | --upgrade-id id | + | | | --upgrade-token-name name [-@ | + | | | password-file] | + | | | For example: | + | | | $ certutil --upgrade-merge -d | + | | | sql:/home/my/sharednssdb | + | | | --source-dir | + | | | /opt/my-app/alias/ | + | | | --source-prefix serverapp- | + | | | --upgrade-id 1 | + | | | --upgrade-token-name internal | + | | | The --merge command only | + | | | requires information about the | + | | | location of the | + | | | original database; since it | + | | | doesn't change the format of | + | | | the database, it | + | | | can write over information | + | | | without performing interim | + | | | step. | + | | | certutil --merge -d | + | | | [sql:]directory [-P dbprefix] | + | | | --source-dir directory | + | | | --source-prefix dbprefix [-@ | + | | | password-file] | + | | | For example: | + | | | $ certutil --merge -d | + | | | sql:/home/my/sharednssdb | + | | | --source-dir | + | | | /opt/my-app/alias/ | + | | | --source-prefix serverapp- | + | | | Running certutil Commands | + | | | from a Batch File | + | | | A series of commands can be | + | | | run sequentially from a text | + | | | file with the -B | + | | | command option. The only | + | | | argument for this specifies | + | | | the input file. | + | | | $ certutil -B -i | + | | | /path/to/batch-file | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | pk12util (1) | + | | | modutil (1) | + | | | certutil has arguments or | + | | | operations that use features | + | | | defined in several | + | | | IETF RFCs. | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc5280 `__ | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc1113 `__ | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc1485 `__ | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 339 | :ref:`mozil | | + | | la_projects_nss_tools_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | cmsutil — Performs basic | + | | | cryptograpic operations, such | + | | | as encryption and | + | | | decryption, on | + | | | Cryptographic Message Syntax | + | | | (CMS) messages. | + | | | Synopsis | + | | | cmsutil [options] | + | | | `arguments `__ | + | | | Description | + | | | The cmsutil command-line | + | | | uses the S/MIME Toolkit to | + | | | perform basic | + | | | operations, such as | + | | | encryption and decryption, on | + | | | Cryptographic Message | + | | | Syntax (CMS) messages. | + | | | To run cmsutil, type the | + | | | command cmsutil option | + | | | [arguments] where option | + | | | and arguments are | + | | | combinations of the options | + | | | and arguments listed in the | + | | | following section. Each | + | | | command takes one option. Each | + | | | option may take | + | | | zero or more arguments. To | + | | | see a usage string, issue the | + | | | command without | + | | | options. | + | | | Options and Arguments | + | | | Options | + | | | Options specify an action. | + | | | Option arguments modify an | + | | | action. The options | + | | | and arguments for the | + | | | cmsutil command are defined as | + | | | follows: | + | | | -D | + | | | Decode a message. | + | | | -C | + | | | Encrypt a message. | + | | | -E | + | | | Envelope a message. | + | | | -O | + | | | Create a | + | | | certificates-only message. | + | | | -S | + | | | Sign a message. | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -c content | + | | | Use this detached | + | | | content (decode only). | + | | | -d dbdir | + | | | Specify the | + | | | key/certificate database | + | | | directory (default is ".") | + | | | -e envfile | + | | | Specify a file | + | | | containing an enveloped | + | | | message for a set of | + | | | recipients to which | + | | | you would like to send an | + | | | encrypted message. | + | | | If this is the | + | | | first encrypted message for | + | | | that set of recipients, | + | | | a new enveloped | + | | | message will be created that | + | | | you can then use for | + | | | future messages | + | | | (encrypt only). | + | | | -G | + | | | Include a signing | + | | | time attribute (sign only). | + | | | -h num | + | | | Generate email | + | | | headers with info about CMS | + | | | message (decode only). | + | | | -i infile | + | | | Use infile as a | + | | | source of data (default is | + | | | stdin). | + | | | -N nickname | + | | | Specify nickname of | + | | | certificate to sign with (sign | + | | | only). | + | | | -n | + | | | Suppress output of | + | | | contents (decode only). | + | | | -o outfile | + | | | Use outfile as a | + | | | destination of data (default | + | | | is stdout). | + | | | -P | + | | | Include an S/MIME | + | | | capabilities attribute. | + | | | -p password | + | | | Use password as key | + | | | database password. | + | | | -r recipient1,recipient2, | + | | | ... | + | | | Specify list of | + | | | recipients (email addresses) | + | | | for an encrypted or | + | | | enveloped message. | + | | | For certificates-only message, | + | | | list of | + | | | certificates to | + | | | send. | + | | | -T | + | | | Suppress content in | + | | | CMS message (sign only). | + | | | -u certusage | + | | | Set type of cert | + | | | usage (default is | + | | | certUsageEmailSigner). | + | | | -Y ekprefnick | + | | | Specify an | + | | | encryption key preference by | + | | | nickname. | + | | | Usage | + | | | Encrypt Example | + | | | cmsutil -C [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r | + | | | "recipient1,recipient2, . . ." | + | | | -e envfile | + | | | Decode Example | + | | | cmsutil -D [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] [-c content] [-n] | + | | | [-h num] | + | | | Envelope Example | + | | | cmsutil -E [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r | + | | | "recipient1,recipient2, ..." | + | | | Certificate-only Example | + | | | cmsutil -O [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r "cert1,cert2, . . | + | | | ." | + | | | Sign Message Example | + | | | cmsutil -S [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -N nickname[-TGP] | + | | | [-Y ekprefnick] | + | | | See also | + | | | certutil(1) | + | | | See Also | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [1]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 2. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 340 | :ref:`mozil | | + | | la_projects_nss_tools_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | crlutil — List, generate, | + | | | modify, or delete CRLs within | + | | | the NSS security | + | | | database file(s) and list, | + | | | create, modify or delete | + | | | certificates entries | + | | | in a particular CRL. | + | | | Synopsis | + | | | crlutil [options] | + | | | `arguments `__ | + | | | Description | + | | | The Certificate Revocation | + | | | List (CRL) Management Tool, | + | | | crlutil, is a | + | | | command-line utility that | + | | | can list, generate, modify, or | + | | | delete CRLs | + | | | within the NSS security | + | | | database file(s) and list, | + | | | create, modify or | + | | | delete certificates entries | + | | | in a particular CRL. | + | | | The key and certificate | + | | | management process generally | + | | | begins with creating | + | | | keys in the key database, | + | | | then generating and managing | + | | | certificates in the | + | | | certificate database(see | + | | | certutil tool) and continues | + | | | with certificates | + | | | expiration or revocation. | + | | | This document discusses | + | | | certificate revocation list | + | | | management. For | + | | | information on security | + | | | module database management, | + | | | see Using the Security | + | | | Module Database Tool. For | + | | | information on certificate and | + | | | key database | + | | | management, see Using the | + | | | Certificate Database Tool. | + | | | To run the Certificate | + | | | Revocation List Management | + | | | Tool, type the command | + | | | crlutil option [arguments] | + | | | where options and arguments | + | | | are combinations of the | + | | | options and arguments | + | | | listed in the following | + | | | section. Each command takes | + | | | one option. Each | + | | | option may take zero or | + | | | more arguments. To see a usage | + | | | string, issue the | + | | | command without options, or | + | | | with the -H option. | + | | | Options and Arguments | + | | | Options | + | | | Options specify an action. | + | | | Option arguments modify an | + | | | action. The options | + | | | and arguments for the | + | | | crlutil command are defined as | + | | | follows: | + | | | -G | + | | | Create new | + | | | Certificate Revocation | + | | | List(CRL). | + | | | -D | + | | | Delete Certificate | + | | | Revocation List from cert | + | | | database. | + | | | -I | + | | | Import a CRL to the | + | | | cert database | + | | | -E | + | | | Erase all CRLs of | + | | | specified type from the cert | + | | | database | + | | | -L | + | | | List existing CRL | + | | | located in cert database file. | + | | | -M | + | | | Modify existing CRL | + | | | which can be located in cert | + | | | db or in | + | | | arbitrary file. If | + | | | located in file it should be | + | | | encoded in ASN.1 | + | | | encode format. | + | | | -G | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -B | + | | | Bypass CA signature | + | | | checks. | + | | | -P dbprefix | + | | | Specify the prefix | + | | | used on the NSS security | + | | | database files (for | + | | | example, | + | | | my_cert8.db and my_key3.db). | + | | | This option is provided as a | + | | | special case. | + | | | Changing the names of the | + | | | certificate and key | + | | | databases is not | + | | | recommended. | + | | | -a | + | | | Use ASCII format or | + | | | allow the use of ASCII format | + | | | for input and | + | | | output. This | + | | | formatting follows RFC #1113. | + | | | -c crl-gen-file | + | | | Specify script file | + | | | that will be used to control | + | | | crl | + | | | | + | | | generation/modification. See | + | | | crl-cript-file format below. | + | | | If | + | | | options -M|-G is | + | | | used and -c crl-script-file is | + | | | not specified, | + | | | crlutil will read | + | | | script data from standard | + | | | input. | + | | | -d directory | + | | | Specify the | + | | | database directory containing | + | | | the certificate and key | + | | | database files. On | + | | | Unix the Certificate Database | + | | | Tool defaults to | + | | | $HOME/.netscape | + | | | (that is, ~/.netscape). On | + | | | Windows NT the default | + | | | is the current | + | | | directory. | + | | | The NSS database | + | | | files must reside in the same | + | | | directory. | + | | | -i crl-import-file | + | | | Specify the file | + | | | which contains the CRL to | + | | | import | + | | | -f password-file | + | | | Specify a file that | + | | | will automatically supply the | + | | | password to | + | | | include in a | + | | | certificate or to access a | + | | | certificate database. This | + | | | is a plain-text | + | | | file containing one password. | + | | | Be sure to prevent | + | | | unauthorized access | + | | | to this file. | + | | | -l algorithm-name | + | | | Specify a specific | + | | | signature algorithm. List of | + | | | possible | + | | | algorithms: MD2 \| | + | | | MD4 \| MD5 \| SHA1 \| SHA256 | + | | | \| SHA384 \| SHA512 | + | | | -n nickname | + | | | Specify the | + | | | nickname of a certificate or | + | | | key to list, create, add | + | | | to a database, | + | | | modify, or validate. Bracket | + | | | the nickname string | + | | | with quotation | + | | | marks if it contains spaces. | + | | | -o output-file | + | | | Specify the output | + | | | file name for new CRL. Bracket | + | | | the output-file | + | | | string with | + | | | quotation marks if it contains | + | | | spaces. If this | + | | | argument is not | + | | | used the output destination | + | | | defaults to standard | + | | | output. | + | | | -t crl-type | + | | | Specify type of | + | | | CRL. possible types are: 0 - | + | | | SEC_KRL_TYPE, 1 - | + | | | SEC_CRL_TYPE. This | + | | | option is obsolete | + | | | -u url | + | | | Specify the url. | + | | | CRL Generation script syntax | + | | | CRL generation script file | + | | | has the following syntax: | + | | | \* Line with comments | + | | | should have # as a first | + | | | symbol of a line | + | | | \* Set "this update" or | + | | | "next update" CRL fields: | + | | | update=YYYYMMDDhhmmssZ | + | | | nextupdate=YYYYMMDDhhmmssZ | + | | | Field "next update" is | + | | | optional. Time should be in | + | | | GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). For | + | | | example: 20050204153000Z | + | | | \* Add an extension to a | + | | | CRL or a crl certificate | + | | | entry: | + | | | addext extension-name | + | | | critical/non-critical | + | | | [arg1[arg2 ...]] | + | | | Where: | + | | | extension-name: string | + | | | value of a name of known | + | | | extensions. | + | | | critical/non-critical: is 1 | + | | | when extension is critical and | + | | | 0 otherwise. | + | | | arg1, arg2: specific to | + | | | extension type extension | + | | | parameters | + | | | addext uses the range that | + | | | was set earlier by addcert and | + | | | will install an | + | | | extension to every cert | + | | | entries within the range. | + | | | \* Add certificate | + | | | entries(s) to CRL: | + | | | addcert range date | + | | | range: two integer values | + | | | separated by dash: range of | + | | | certificates that | + | | | will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one cert | + | | | will be added if there is | + | | | no delimiter. date: revocation | + | | | date of a cert. | + | | | Date should be represented | + | | | in GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). | + | | | \* Remove certificate | + | | | entry(s) from CRL | + | | | rmcert range | + | | | Where: | + | | | range: two integer values | + | | | separated by dash: range of | + | | | certificates that | + | | | will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one cert | + | | | will be added if there is | + | | | no delimiter. | + | | | \* Change range of | + | | | certificate entry(s) in CRL | + | | | range new-range | + | | | Where: | + | | | new-range: two integer | + | | | values separated by dash: | + | | | range of certificates | + | | | that will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one | + | | | cert will be added if there | + | | | is no delimiter. | + | | | Implemented Extensions | + | | | The extensions defined for | + | | | CRL provide methods for | + | | | associating additional | + | | | attributes with CRLs of | + | | | theirs entries. For more | + | | | information see RFC #3280 | + | | | \* Add The Authority Key | + | | | Identifier extension: | + | | | The authority key | + | | | identifier extension provides | + | | | a means of identifying the | + | | | public key corresponding to | + | | | the private key used to sign a | + | | | CRL. | + | | | authKeyId critical [key-id | + | | | \| dn cert-serial] | + | | | Where: | + | | | authKeyIdent: identifies | + | | | the name of an extension | + | | | critical: value of 1 of | + | | | 0. Should be set to 1 if | + | | | this extension is critical or | + | | | 0 otherwise. | + | | | key-id: key identifier | + | | | represented in octet string. | + | | | dn:: is a CA | + | | | distinguished name | + | | | cert-serial: authority | + | | | certificate serial number. | + | | | \* Add Issuer Alternative | + | | | Name extension: | + | | | The issuer alternative | + | | | names extension allows | + | | | additional identities to be | + | | | associated with the issuer | + | | | of the CRL. Defined options | + | | | include an rfc822 | + | | | name (electronic mail | + | | | address), a DNS name, an IP | + | | | address, and a URI. | + | | | issuerAltNames non-critical | + | | | name-list | + | | | Where: | + | | | subjAltNames: identifies | + | | | the name of an extension | + | | | should be set to 0 since | + | | | this is non-critical | + | | | extension name-list: comma | + | | | separated list of names | + | | | \* Add CRL Number | + | | | extension: | + | | | The CRL number is a | + | | | non-critical CRL extension | + | | | which conveys a | + | | | monotonically increasing | + | | | sequence number for a given | + | | | CRL scope and CRL | + | | | issuer. This extension | + | | | allows users to easily | + | | | determine when a particular | + | | | CRL supersedes another CRL | + | | | crlNumber non-critical | + | | | number | + | | | Where: | + | | | crlNumber: identifies the | + | | | name of an extension critical: | + | | | should be set to | + | | | 0 since this is | + | | | non-critical extension number: | + | | | value of long which | + | | | identifies the sequential | + | | | number of a CRL. | + | | | \* Add Revocation Reason | + | | | Code extension: | + | | | The reasonCode is a | + | | | non-critical CRL entry | + | | | extension that identifies the | + | | | reason for the certificate | + | | | revocation. | + | | | reasonCode non-critical | + | | | code | + | | | Where: | + | | | reasonCode: identifies the | + | | | name of an extension | + | | | non-critical: should be | + | | | set to 0 since this is | + | | | non-critical extension code: | + | | | the following codes | + | | | are available: | + | | | unspecified (0), | + | | | keyCompromise (1), | + | | | cACompromise (2), | + | | | affiliationChanged | + | | | (3), superseded (4), | + | | | cessationOfOperation (5), | + | | | certificateHold (6), | + | | | removeFromCRL (8), | + | | | privilegeWithdrawn (9), | + | | | aACompromise (10) | + | | | \* Add Invalidity Date | + | | | extension: | + | | | The invalidity date is a | + | | | non-critical CRL entry | + | | | extension that provides | + | | | the date on which it is | + | | | known or suspected that the | + | | | private key was | + | | | compromised or that the | + | | | certificate otherwise became | + | | | invalid. | + | | | invalidityDate non-critical | + | | | date | + | | | Where: | + | | | crlNumber: identifies the | + | | | name of an extension | + | | | non-critical: should be set | + | | | to 0 since this is | + | | | non-critical extension date: | + | | | invalidity date of a cert. | + | | | Date should be represented | + | | | in GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). | + | | | Usage | + | | | The Certificate Revocation | + | | | List Management Tool's | + | | | capabilities are grouped | + | | | as follows, using these | + | | | combinations of options and | + | | | arguments. Options and | + | | | arguments in square | + | | | brackets are optional, those | + | | | without square brackets | + | | | are required. | + | | | See "Implemented | + | | | extensions" for more | + | | | information regarding | + | | | extensions and | + | | | their parameters. | + | | | \* Creating or modifying a | + | | | CRL: | + | | | crlutil -G|-M -c crl-gen-file | + | | | -n nickname [-i crl] [-u url] | + | | | [-d keydir] [-P dbprefix] [-l | + | | | alg] [-a] [-B] | + | | | \* Listing all CRls or a | + | | | named CRL: | + | | | crlutil -L [-n | + | | | crl-name] [-d krydir] | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | + | | | nickname [-d keydir] [-P | + | | | dbprefix] | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | + | | | keydir] [-P dbprefix] | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | + | | | nickname [-d keydir] [-P | + | | | dbprefix] | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | + | | | keydir] [-P dbprefix] | + | | | \* Import CRL from file: | + | | | crlutil -I -i crl | + | | | [-t crlType] [-u url] [-d | + | | | keydir] [-P dbprefix] [-B] | + | | | See also | + | | | certutil(1) | + | | | See Also | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [1]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 2. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 341 | :ref:`mozil | | + | | la_projects_nss_tools_modutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | modutil — Manage PKCS #11 | + | | | module information within the | + | | | security module | + | | | database. | + | | | Synopsis | + | | | modutil [options] | + | | | `arguments `__ | + | | | Description | + | | | The Security Module | + | | | Database Tool, modutil, is a | + | | | command-line utility for | + | | | managing PKCS #11 module | + | | | information both within | + | | | secmod.db files and | + | | | within hardware tokens. | + | | | modutil can add and delete | + | | | PKCS #11 modules, | + | | | change passwords on | + | | | security databases, set | + | | | defaults, list module | + | | | contents, enable or disable | + | | | slots, enable or disable FIPS | + | | | 140-2 | + | | | compliance, and assign | + | | | default providers for | + | | | cryptographic operations. | + | | | This tool can also create | + | | | certificate, key, and module | + | | | security database | + | | | files. | + | | | The tasks associated with | + | | | security module database | + | | | management are part of | + | | | a process that typically | + | | | also involves managing key | + | | | databases and | + | | | certificate databases. | + | | | Options | + | | | Running modutil always | + | | | requires one (and only one) | + | | | option to specify the | + | | | type of module operation. | + | | | Each option may take | + | | | arguments, anywhere from | + | | | none to multiple arguments. | + | | | Options | + | | | -add modulename | + | | | Add the named PKCS | + | | | #11 module to the database. | + | | | Use this option | + | | | with the -libfile, | + | | | -ciphers, and -mechanisms | + | | | arguments. | + | | | -changepw tokenname | + | | | Change the password | + | | | on the named token. If the | + | | | token has not been | + | | | initialized, this | + | | | option initializes the | + | | | password. Use this option | + | | | with the -pwfile | + | | | and -newpwfile arguments. A | + | | | password is | + | | | equivalent to a | + | | | personal identification number | + | | | (PIN). | + | | | -chkfips | + | | | Verify whether the | + | | | module is in the given FIPS | + | | | mode. true means to | + | | | verify that the | + | | | module is in FIPS mode, while | + | | | false means to | + | | | verify that the | + | | | module is not in FIPS mode. | + | | | -create | + | | | Create new | + | | | certificate, key, and module | + | | | databases. Use the -dbdir | + | | | directory argument | + | | | to specify a directory. If any | + | | | of these | + | | | databases already | + | | | exist in a specified | + | | | directory, modutil returns | + | | | an error message. | + | | | -default modulename | + | | | Specify the | + | | | security mechanisms for which | + | | | the named module will be | + | | | a default provider. | + | | | The security mechanisms are | + | | | specified with the | + | | | -mechanisms | + | | | argument. | + | | | -delete modulename | + | | | Delete the named | + | | | module. The default NSS PKCS | + | | | #11 module cannot be | + | | | deleted. | + | | | -disable modulename | + | | | Disable all slots | + | | | on the named module. Use the | + | | | -slot argument to | + | | | disable a specific | + | | | slot. | + | | | -enable modulename | + | | | Enable all slots on | + | | | the named module. Use the | + | | | -slot argument to | + | | | enable a specific | + | | | slot. | + | | | -fips [true \| false] | + | | | Enable (true) or | + | | | disable (false) FIPS 140-2 | + | | | compliance for the | + | | | default NSS module. | + | | | -force | + | | | Disable modutil's | + | | | interactive prompts so it can | + | | | be run from a | + | | | script. Use this | + | | | option only after manually | + | | | testing each planned | + | | | operation to check | + | | | for warnings and to ensure | + | | | that bypassing the | + | | | prompts will cause | + | | | no security lapses or loss of | + | | | database | + | | | integrity. | + | | | -jar JAR-file | + | | | Add a new PKCS #11 | + | | | module to the database using | + | | | the named JAR | + | | | file. Use this | + | | | command with the -installdir | + | | | and -tempdir | + | | | arguments. The JAR | + | | | file uses the NSS PKCS #11 JAR | + | | | format to | + | | | identify all the | + | | | files to be installed, the | + | | | module's name, the | + | | | mechanism flags, | + | | | and the cipher flags, as well | + | | | as any files to be | + | | | installed on the | + | | | target machine, including the | + | | | PKCS #11 module | + | | | library file and | + | | | other files such as | + | | | documentation. This is | + | | | covered in the JAR | + | | | installation file section in | + | | | the man page, | + | | | which details the | + | | | special script needed to | + | | | perform an installation | + | | | through a server or | + | | | with modutil. | + | | | -list [modulename] | + | | | Display basic | + | | | information about the contents | + | | | of the secmod.db | + | | | file. Specifying a | + | | | modulename displays detailed | + | | | information about | + | | | a particular module | + | | | and its slots and tokens. | + | | | -rawadd | + | | | Add the module spec | + | | | string to the secmod.db | + | | | database. | + | | | -rawlist | + | | | Display the module | + | | | specs for a specified module | + | | | or for all | + | | | loadable modules. | + | | | -undefault modulename | + | | | Specify the | + | | | security mechanisms for which | + | | | the named module will | + | | | not be a default | + | | | provider. The security | + | | | mechanisms are specified | + | | | with the | + | | | -mechanisms argument. | + | | | Arguments | + | | | MODULE | + | | | Give the security | + | | | module to access. | + | | | MODULESPEC | + | | | Give the security | + | | | module spec to load into the | + | | | security database. | + | | | -ciphers cipher-enable-list | + | | | Enable specific | + | | | ciphers in a module that is | + | | | being added to the | + | | | database. The | + | | | cipher-enable-list is a | + | | | colon-delimited list of | + | | | cipher names. | + | | | Enclose this list in quotation | + | | | marks if it contains | + | | | spaces. | + | | | -dbdir [sql:]directory | + | | | Specify the | + | | | database directory in which to | + | | | access or create | + | | | security module | + | | | database files. | + | | | modutil supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | --dbprefix prefix | + | | | Specify the prefix | + | | | used on the database files, | + | | | such as my\_ for | + | | | my_cert8.db. This | + | | | option is provided as a | + | | | special case. Changing | + | | | the names of the | + | | | certificate and key databases | + | | | is not recommended. | + | | | -installdir | + | | | root-installation-directory | + | | | Specify the root | + | | | installation directory | + | | | relative to which files | + | | | will be installed | + | | | by the -jar option. This | + | | | directory should be one | + | | | below which it is | + | | | appropriate to store dynamic | + | | | library files, such | + | | | as a server's root | + | | | directory. | + | | | -libfile library-file | + | | | Specify a path to a | + | | | library file containing the | + | | | implementation of | + | | | the PKCS #11 | + | | | interface module that is being | + | | | added to the database. | + | | | -mechanisms mechanism-list | + | | | Specify the | + | | | security mechanisms for which | + | | | a particular module will | + | | | be flagged as a | + | | | default provider. The | + | | | mechanism-list is a | + | | | colon-delimited | + | | | list of mechanism names. | + | | | Enclose this list in | + | | | quotation marks if | + | | | it contains spaces. | + | | | The module becomes | + | | | a default provider for the | + | | | listed mechanisms | + | | | when those | + | | | mechanisms are enabled. If | + | | | more than one module claims | + | | | to be a particular | + | | | mechanism's default provider, | + | | | that mechanism's | + | | | default provider is | + | | | undefined. | + | | | modutil supports | + | | | several mechanisms: RSA, DSA, | + | | | RC2, RC4, RC5, AES, | + | | | DES, DH, SHA1, | + | | | SHA256, SHA512, SSL, TLS, MD5, | + | | | MD2, RANDOM (for | + | | | random number | + | | | generation), and FRIENDLY | + | | | (meaning certificates are | + | | | publicly readable). | + | | | -newpwfile | + | | | new-password-file | + | | | Specify a text file | + | | | containing a token's new or | + | | | replacement | + | | | password so that a | + | | | password can be entered | + | | | automatically with the | + | | | -changepw option. | + | | | -nocertdb | + | | | Do not open the | + | | | certificate or key databases. | + | | | This has several | + | | | effects: | + | | | o With the | + | | | -create command, only a module | + | | | security file is | + | | | created; | + | | | certificate and key databases | + | | | are not created. | + | | | o With the -jar | + | | | command, signatures on the JAR | + | | | file are not | + | | | checked. | + | | | o With the | + | | | -changepw command, the | + | | | password on the NSS internal | + | | | module cannot | + | | | be set or changed, since this | + | | | password is | + | | | stored in the | + | | | key database. | + | | | -pwfile old-password-file | + | | | Specify a text file | + | | | containing a token's existing | + | | | password so that | + | | | a password can be | + | | | entered automatically when the | + | | | -changepw option | + | | | is used to change | + | | | passwords. | + | | | -secmod secmodname | + | | | Give the name of | + | | | the security module database | + | | | (like secmod.db) to | + | | | load. | + | | | -slot slotname | + | | | Specify a | + | | | particular slot to be enabled | + | | | or disabled with the | + | | | -enable or -disable | + | | | options. | + | | | -string CONFIG_STRING | + | | | Pass a | + | | | configuration string for the | + | | | module being added to the | + | | | database. | + | | | -tempdir | + | | | temporary-directory | + | | | Give a directory | + | | | location where temporary files | + | | | are created during | + | | | the installation by | + | | | the -jar option. If no | + | | | temporary directory is | + | | | specified, the | + | | | current directory is used. | + | | | Usage and Examples | + | | | Creating Database Files | + | | | Before any operations can | + | | | be performed, there must be a | + | | | set of security | + | | | databases available. | + | | | modutil can be used to create | + | | | these files. The only | + | | | required argument is the | + | | | database that where the | + | | | databases will be | + | | | located. | + | | | modutil -create -dbdir | + | | | [sql:]directory | + | | | Adding a Cryptographic | + | | | Module | + | | | Adding a PKCS #11 module | + | | | means submitting a supporting | + | | | library file, | + | | | enabling its ciphers, and | + | | | setting default provider | + | | | status for various | + | | | security mechanisms. This | + | | | can be done by supplying all | + | | | of the information | + | | | through modutil directly or | + | | | by running a JAR file and | + | | | install script. For | + | | | the most basic case, simply | + | | | upload the library: | + | | | modutil -add modulename | + | | | -libfile library-file | + | | | [-ciphers cipher-enable-list] | + | | | [-mechanisms mechanism-list] | + | | | For example: | + | | | modutil -dbdir | + | | | sql:/home/my/sharednssdb -add | + | | | "Example PKCS #11 Module" | + | | | -libfile "/tmp/crypto.so" | + | | | -mechanisms RSA:DSA:RC2:RANDOM | + | | | Using database directory ... | + | | | Module "Example PKCS #11 | + | | | Module" added to database. | + | | | Installing a Cryptographic | + | | | Module from a JAR File | + | | | PKCS #11 modules can also | + | | | be loaded using a JAR file, | + | | | which contains all | + | | | of the required libraries | + | | | and an installation script | + | | | that describes how to | + | | | install the module. The JAR | + | | | install script is described in | + | | | more detail in | + | | | [1]the section called “JAR | + | | | Installation File Format”. | + | | | The JAR installation script | + | | | defines the setup information | + | | | for each | + | | | platform that the module | + | | | can be installed on. For | + | | | example: | + | | | Platforms { | + | | | Linux:5.4.08:x86 { | + | | | ModuleName { "Example | + | | | PKCS #11 Module" } | + | | | ModuleFile { crypto.so | + | | | } | + | | | | + | | | DefaultMechanismFlags{0x0000} | + | | | | + | | | CipherEnableFlags{0x0000} | + | | | Files { | + | | | crypto.so { | + | | | Path{ | + | | | /tmp/crypto.so } | + | | | } | + | | | setup.sh { | + | | | Executable | + | | | Path{ | + | | | /tmp/setup.sh } | + | | | } | + | | | } | + | | | } | + | | | Linux:6.0.0:x86 { | + | | | EquivalentPlatform { | + | | | Linux:5.4.08:x86 } | + | | | } | + | | | } | + | | | Both the install script and | + | | | the required libraries must be | + | | | bundled in a | + | | | JAR file, which is | + | | | specified with the -jar | + | | | argument. | + | | | modutil -dbdir | + | | | sql:/home/mt | + | | | "jar-install-filey/sharednssdb | + | | | -jar install.jar -installdir | + | | | sql:/home/my/sharednssdb | + | | | This installation JAR file | + | | | was signed by: | + | | | ---------------- | + | | | ------------------------------ | + | | | **SUBJECT NAME*\* | + | | | C=US, ST=California, | + | | | L=Mountain View, | + | | | CN=Cryptorific Inc., | + | | | OU=Digital ID | + | | | Class 3 - Netscape Object | + | | | Signing, | + | | | OU="w | + | | | ww.verisign.com/repository/CPS | + | | | Incorp. by Ref.,LIAB.LTD(c)9 | + | | | 6", OU=www.verisign.com/CPS | + | | | Incorp.by Ref | + | | | . LIABILITY LTD.(c)97 | + | | | VeriSign, OU=VeriSign Object | + | | | Signing CA - Class 3 | + | | | Organization, OU="VeriSign, | + | | | Inc.", O=VeriSign Trust | + | | | Network \**ISSUER | + | | | NAME**, | + | | | OU=www.verisign.com/CPS | + | | | Incorp.by Ref. LIABILITY | + | | | LTD.(c)97 | + | | | VeriSign, OU=VeriSign Object | + | | | Signing CA - Class 3 | + | | | Organization, | + | | | OU="VeriSign, Inc.", | + | | | O=VeriSign Trust Network | + | | | ---------------- | + | | | ------------------------------ | + | | | Do you wish to continue this | + | | | installation? (y/n) y | + | | | Using installer script | + | | | "installer_script" | + | | | Successfully parsed | + | | | installation script | + | | | Current platform is | + | | | Linux:5.4.08:x86 | + | | | Using installation parameters | + | | | for platform Linux:5.4.08:x86 | + | | | Installed file crypto.so to | + | | | /tmp/crypto.so | + | | | Installed file setup.sh to | + | | | ./pk11inst.dir/setup.sh | + | | | Executing | + | | | "./pk11inst.dir/setup.sh"... | + | | | "./pk11inst.dir/setup.sh" | + | | | executed successfully | + | | | Installed module "Example | + | | | PKCS #11 Module" into module | + | | | database | + | | | Installation completed | + | | | successfully | + | | | Adding Module Spec | + | | | Each module has information | + | | | stored in the security | + | | | database about its | + | | | configuration and | + | | | parameters. These can be added | + | | | or edited using the | + | | | -rawadd command. For the | + | | | current settings or to see the | + | | | format of the | + | | | module spec in the | + | | | database, use the -rawlist | + | | | option. | + | | | modutil -rawadd modulespec | + | | | Deleting a Module | + | | | A specific PKCS #11 module | + | | | can be deleted from the | + | | | secmod.db database: | + | | | modutil -delete modulename | + | | | -dbdir [sql:]directory | + | | | Displaying Module | + | | | Information | + | | | The secmod.db database | + | | | contains information about the | + | | | PKCS #11 modules | + | | | that are available to an | + | | | application or server to use. | + | | | The list of all | + | | | modules, information about | + | | | specific modules, and database | + | | | configuration | + | | | specs for modules can all | + | | | be viewed. | + | | | To simply get a list of | + | | | modules in the database, use | + | | | the -list command. | + | | | modutil -list [modulename] | + | | | -dbdir [sql:]directory | + | | | Listing the modules shows | + | | | the module name, their status, | + | | | and other | + | | | associated security | + | | | databases for certificates and | + | | | keys. For example: | + | | | modutil -list -dbdir | + | | | sql:/home/my/sharednssdb | + | | | Listing of PKCS #11 Modules | + | | | ----------------------------- | + | | | ------------------------------ | + | | | 1. NSS Internal PKCS #11 | + | | | Module | + | | | slots: 2 slots | + | | | attached | + | | | status: loaded | + | | | slot: NSS Internal | + | | | Cryptographic Services | + | | | token: NSS Generic | + | | | Crypto Services | + | | | slot: NSS User | + | | | Private Key and Certificate | + | | | Services | + | | | token: NSS | + | | | Certificate DB | + | | | ----------------------------- | + | | | ------------------------------ | + | | | Passing a specific module | + | | | name with the -list returns | + | | | details information | + | | | about the module itself, | + | | | like supported cipher | + | | | mechanisms, version | + | | | numbers, serial numbers, | + | | | and other information about | + | | | the module and the | + | | | token it is loaded on. For | + | | | example: | + | | | modutil -list "NSS Internal | + | | | PKCS #11 Module" -dbdir | + | | | sql:/home/my/sharednssdb | + | | | ----------------------------- | + | | | ------------------------------ | + | | | Name: NSS Internal PKCS #11 | + | | | Module | + | | | Library file: \**Internal | + | | | ONLY module*\* | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Description: NSS Internal | + | | | Crypto Services | + | | | PKCS #11 Version 2.20 | + | | | Library Version: 3.11 | + | | | Cipher Enable Flags: None | + | | | Default Mechanism Flags: | + | | | RSA:RC2:RC4:D | + | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | + | | | Slot: NSS Internal | + | | | Cryptographic Services | + | | | Slot Mechanism Flags: | + | | | RSA:RC2:RC4:D | + | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Generic | + | | | Crypto Services | + | | | Token Manufacturer: Mozilla | + | | | Foundation | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | + | | | 0000000000000000 | + | | | Token Version: 4.0 | + | | | Token Firmware Version: 0.0 | + | | | Access: Write Protected | + | | | Login Type: Public (no | + | | | login required) | + | | | User Pin: NOT Initialized | + | | | Slot: NSS User Private Key | + | | | and Certificate Services | + | | | Slot Mechanism Flags: None | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Certificate | + | | | DB | + | | | Token Manufacturer: Mozilla | + | | | Foundation | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | + | | | 0000000000000000 | + | | | Token Version: 8.3 | + | | | Token Firmware Version: 0.0 | + | | | Access: NOT Write Protected | + | | | Login Type: Login required | + | | | User Pin: Initialized | + | | | A related command, -rawlist | + | | | returns information about the | + | | | database | + | | | configuration for the | + | | | modules. (This information can | + | | | be edited by loading | + | | | new specs using the -rawadd | + | | | command.) | + | | | modutil -rawlist -dbdir | + | | | sql:/home/my/sharednssdb | + | | | name="NSS Internal PKCS #11 | + | | | Module" | + | | | parameters="configdir=. | + | | | certPrefix= keyPrefix= | + | | | secmod=secmod.db | + | | | flags=readOnly " | + | | | NSS="trustOrder=75 | + | | | cipherOrder=100 | + | | | slotParams={0x00000001=[ | + | | | slotFlags=RSA,RC4,RC2,DES,DH,S | + | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | + | | | askpw=any timeout=30 ] } | + | | | Flags=internal,critical" | + | | | Setting a Default Provider | + | | | for Security Mechanisms | + | | | Multiple security modules | + | | | may provide support for the | + | | | same security | + | | | mechanisms. It is possible | + | | | to set a specific security | + | | | module as the | + | | | default provider for a | + | | | specific security mechanism | + | | | (or, conversely, to | + | | | prohibit a provider from | + | | | supplying those mechanisms). | + | | | modutil -default modulename | + | | | -mechanisms mechanism-list | + | | | To set a module as the | + | | | default provider for | + | | | mechanisms, use the -default | + | | | command with a | + | | | colon-separated list of | + | | | mechanisms. The available | + | | | mechanisms depend on the | + | | | module; NSS supplies almost | + | | | all common | + | | | mechanisms. For example: | + | | | modutil -default "NSS | + | | | Internal PKCS #11 Module" | + | | | -dbdir -mechanisms RSA:DSA:RC2 | + | | | Using database directory | + | | | c:\databases... | + | | | Successfully changed | + | | | defaults. | + | | | Clearing the default | + | | | provider has the same format: | + | | | modutil -undefault "NSS | + | | | Internal PKCS #11 Module" | + | | | -dbdir -mechanisms MD2:MD5 | + | | | Enabling and Disabling | + | | | Modules and Slots | + | | | Modules, and specific slots | + | | | on modules, can be selectively | + | | | enabled or | + | | | disabled using modutil. | + | | | Both commands have the same | + | | | format: | + | | | modutil -enable|-disable | + | | | modulename [-slot slotname] | + | | | For example: | + | | | modutil -enable "NSS Internal | + | | | PKCS #11 Module" -slot "NSS | + | | | Internal Cryptographic | + | | | Servi | + | | | ces | + | | | " -dbdir . | + | | | Slot "NSS Internal | + | | | Cryptographic | + | | | Servi | + | | | ces | + | | | " enabled. | + | | | Be sure that the | + | | | appropriate amount of trailing | + | | | whitespace is after the | + | | | slot name. Some slot names | + | | | have a significant amount of | + | | | whitespace that | + | | | must be included, or the | + | | | operation will fail. | + | | | Enabling and Verifying FIPS | + | | | Compliance | + | | | The NSS modules can have | + | | | FIPS 140-2 compliance enabled | + | | | or disabled using | + | | | modutil with the -fips | + | | | option. For example: | + | | | modutil -fips true -dbdir | + | | | sql:/home/my/sharednssdb/ | + | | | FIPS mode enabled. | + | | | To verify that status of | + | | | FIPS mode, run the -chkfips | + | | | command with either a | + | | | true or false flag (it | + | | | doesn't matter which). The | + | | | tool returns the current | + | | | FIPS setting. | + | | | modutil -chkfips false -dbdir | + | | | sql:/home/my/sharednssdb/ | + | | | FIPS mode enabled. | + | | | Changing the Password on a | + | | | Token | + | | | Initializing or changing a | + | | | token's password: | + | | | modutil -changepw tokenname | + | | | [-pwfile old-password-file] | + | | | [-newpwfile new-password-file] | + | | | modutil -dbdir | + | | | sql:/home/my/sharednssdb | + | | | -changepw "NSS Certificate DB" | + | | | Enter old password: | + | | | Incorrect password, try | + | | | again... | + | | | Enter old password: | + | | | Enter new password: | + | | | Re-enter new password: | + | | | Token "Communicator | + | | | Certificate DB" password | + | | | changed successfully. | + | | | JAR Installation File Format | + | | | When a JAR file is run by a | + | | | server, by modutil, or by any | + | | | program that | + | | | does not interpret | + | | | JavaScript, a special | + | | | information file must be | + | | | included | + | | | to install the libraries. | + | | | There are several things to | + | | | keep in mind with | + | | | this file: | + | | | o It must be declared in | + | | | the JAR archive's manifest | + | | | file. | + | | | o The script can have any | + | | | name. | + | | | o The metainfo tag for | + | | | this is Pkcs11_install_script. | + | | | To declare | + | | | meta-information in the | + | | | manifest file, put it in a | + | | | file that is passed | + | | | to signtool. | + | | | Sample Script | + | | | For example, the PKCS #11 | + | | | installer script could be in | + | | | the file | + | | | pk11install. If so, the | + | | | metainfo file for signtool | + | | | includes a line such as | + | | | this: | + | | | + Pkcs11_install_script: | + | | | pk11install | + | | | The script must define the | + | | | platform and version number, | + | | | the module name | + | | | and file, and any optional | + | | | information like supported | + | | | ciphers and | + | | | mechanisms. Multiple | + | | | platforms can be defined in a | + | | | single install file. | + | | | ForwardCompatible { | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc } | + | | | Platforms { | + | | | WINNT::x86 { | + | | | ModuleName { "Example | + | | | Module" } | + | | | ModuleFile { | + | | | win32/fort32.dll } | + | | | | + | | | DefaultMechanismFlags{0x0001} | + | | | | + | | | DefaultCipherFlags{0x0001} | + | | | Files { | + | | | win32/setup.exe { | + | | | Executable | + | | | RelativePath { | + | | | %temp%/setup.exe } | + | | | } | + | | | win32/setup.hlp { | + | | | RelativePath { | + | | | %temp%/setup.hlp } | + | | | } | + | | | win32/setup.cab { | + | | | RelativePath { | + | | | %temp%/setup.cab } | + | | | } | + | | | } | + | | | } | + | | | WIN95::x86 { | + | | | EquivalentPlatform | + | | | {WINNT::x86} | + | | | } | + | | | SUNOS:5.5.1:sparc { | + | | | ModuleName { "Example | + | | | UNIX Module" } | + | | | ModuleFile { | + | | | unix/fort.so } | + | | | | + | | | DefaultMechanismFlags{0x0001} | + | | | | + | | | CipherEnableFlags{0x0001} | + | | | Files { | + | | | unix/fort.so { | + | | | | + | | | Re | + | | | lativePath{%root%/lib/fort.so} | + | | | | + | | | AbsolutePath{/u | + | | | sr/local/netscape/lib/fort.so} | + | | | | + | | | FilePermissions{555} | + | | | } | + | | | xplat/instr.html { | + | | | | + | | | Relat | + | | | ivePath{%root%/docs/inst.html} | + | | | | + | | | AbsolutePath{/usr/ | + | | | local/netscape/docs/inst.html} | + | | | | + | | | FilePermissions{555} | + | | | } | + | | | } | + | | | } | + | | | IRIX:6.2:mips { | + | | | EquivalentPlatform { | + | | | SUNOS:5.5.1:sparc } | + | | | } | + | | | } | + | | | Script Grammar | + | | | The script is basic Java, | + | | | allowing lists, key-value | + | | | pairs, strings, and | + | | | combinations of all of | + | | | them. | + | | | --> valuelist | + | | | valuelist --> value valuelist | + | | | | + | | | value ---> key_value_pair | + | | | string | + | | | key_value_pair --> key { | + | | | valuelist } | + | | | key --> string | + | | | string --> simple_string | + | | | "complex_string" | + | | | simple_string --> [^ | + | | | \\t\n\""{""}"]+ | + | | | complex_string --> | + | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | + | | | Quotes and backslashes must | + | | | be escaped with a backslash. A | + | | | complex string | + | | | must not include newlines | + | | | or carriage returns.Outside of | + | | | complex strings, | + | | | all white space (for | + | | | example, spaces, tabs, and | + | | | carriage returns) is | + | | | considered equal and is | + | | | used only to delimit tokens. | + | | | Keys | + | | | The Java install file uses | + | | | keys to define the platform | + | | | and module | + | | | information. | + | | | ForwardCompatible gives a | + | | | list of platforms that are | + | | | forward compatible. | + | | | If the current platform | + | | | cannot be found in the list of | + | | | supported | + | | | platforms, then the | + | | | ForwardCompatible list is | + | | | checked for any platforms | + | | | that have the same OS and | + | | | architecture in an earlier | + | | | version. If one is | + | | | found, its attributes are | + | | | used for the current platform. | + | | | Platforms (required) Gives | + | | | a list of platforms. Each | + | | | entry in the list is | + | | | itself a key-value pair: | + | | | the key is the name of the | + | | | platform and the value | + | | | list contains various | + | | | attributes of the platform. | + | | | The platform string is | + | | | in the format system | + | | | name:OS release:architecture. | + | | | The installer obtains | + | | | these values from NSPR. OS | + | | | release is an empty string on | + | | | non-Unix | + | | | operating systems. NSPR | + | | | supports these platforms: | + | | | o AIX (rs6000) | + | | | o BSDI (x86) | + | | | o FREEBSD (x86) | + | | | o HPUX (hppa1.1) | + | | | o IRIX (mips) | + | | | o LINUX (ppc, alpha, x86) | + | | | o MacOS (PowerPC) | + | | | o NCR (x86) | + | | | o NEC (mips) | + | | | o OS2 (x86) | + | | | o OSF (alpha) | + | | | o ReliantUNIX (mips) | + | | | o SCO (x86) | + | | | o SOLARIS (sparc) | + | | | o SONY (mips) | + | | | o SUNOS (sparc) | + | | | o UnixWare (x86) | + | | | o WIN16 (x86) | + | | | o WIN95 (x86) | + | | | o WINNT (x86) | + | | | For example: | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc | + | | | Linux:2.0.32:x86 | + | | | WIN95::x86 | + | | | The module information is | + | | | defined independently for each | + | | | platform in the | + | | | ModuleName, ModuleFile, and | + | | | Files attributes. These | + | | | attributes must be | + | | | given unless an | + | | | EquivalentPlatform attribute | + | | | is specified. | + | | | Per-Platform Keys | + | | | Per-platform keys have | + | | | meaning only within the value | + | | | list of an entry in | + | | | the Platforms list. | + | | | ModuleName (required) gives | + | | | the common name for the | + | | | module. This name is | + | | | used to reference the | + | | | module by servers and by the | + | | | modutil tool. | + | | | ModuleFile (required) names | + | | | the PKCS #11 module file for | + | | | this platform. | + | | | The name is given as the | + | | | relative path of the file | + | | | within the JAR archive. | + | | | Files (required) lists the | + | | | files that need to be | + | | | installed for this | + | | | module. Each entry in the | + | | | file list is a key-value pair. | + | | | The key is the | + | | | path of the file in the JAR | + | | | archive, and the value list | + | | | contains | + | | | attributes of the file. At | + | | | least RelativePath or | + | | | AbsolutePath must be | + | | | specified for each file. | + | | | DefaultMechanismFlags | + | | | specifies mechanisms for which | + | | | this module is the | + | | | default provider; this is | + | | | equivalent to the -mechanism | + | | | option with the | + | | | -add command. This | + | | | key-value pair is a bitstring | + | | | specified in hexadecimal | + | | | (0x) format. It is | + | | | constructed as a bitwise OR. | + | | | If the | + | | | DefaultMechanismFlags entry | + | | | is omitted, the value defaults | + | | | to 0x0. | + | | | RSA: | + | | | 0x00000001 | + | | | DSA: | + | | | 0x00000002 | + | | | RC2: | + | | | 0x00000004 | + | | | RC4: | + | | | 0x00000008 | + | | | DES: | + | | | 0x00000010 | + | | | DH: | + | | | 0x00000020 | + | | | FORTEZZA: | + | | | 0x00000040 | + | | | RC5: | + | | | 0x00000080 | + | | | SHA1: | + | | | 0x00000100 | + | | | MD5: | + | | | 0x00000200 | + | | | MD2: | + | | | 0x00000400 | + | | | RANDOM: | + | | | 0x08000000 | + | | | FRIENDLY: | + | | | 0x10000000 | + | | | OWN_PW_DEFAULTS: | + | | | 0x20000000 | + | | | DISABLE: | + | | | 0x40000000 | + | | | CipherEnableFlags specifies | + | | | ciphers that this module | + | | | provides that NSS | + | | | does not provide (so that | + | | | the module enables those | + | | | ciphers for NSS). This | + | | | is equivalent to the | + | | | -cipher argument with the -add | + | | | command. This key is a | + | | | bitstring specified in | + | | | hexadecimal (0x) format. It is | + | | | constructed as a | + | | | bitwise OR. If the | + | | | CipherEnableFlags entry is | + | | | omitted, the value defaults | + | | | to 0x0. | + | | | EquivalentPlatform | + | | | specifies that the attributes | + | | | of the named platform | + | | | should also be used for the | + | | | current platform. This makes | + | | | it easier when | + | | | more than one platform uses | + | | | the same settings. | + | | | Per-File Keys | + | | | Some keys have meaning only | + | | | within the value list of an | + | | | entry in a Files | + | | | list. | + | | | Each file requires a path | + | | | key the identifies where the | + | | | file is. Either | + | | | RelativePath or | + | | | AbsolutePath must be | + | | | specified. If both are | + | | | specified, the | + | | | relative path is tried | + | | | first, and the absolute path | + | | | is used only if no | + | | | relative root directory is | + | | | provided by the installer | + | | | program. | + | | | RelativePath specifies the | + | | | destination directory of the | + | | | file, relative to | + | | | some directory decided at | + | | | install time. Two variables | + | | | can be used in the | + | | | relative path: %root% and | + | | | %temp%. %root% is replaced at | + | | | run time with the | + | | | directory relative to which | + | | | files should be installed; for | + | | | example, it may | + | | | be the server's root | + | | | directory. The %temp% | + | | | directory is created at the | + | | | beginning of the | + | | | installation and destroyed at | + | | | the end. The purpose of | + | | | %temp% is to hold | + | | | executable files (such as | + | | | setup programs) or files that | + | | | are used by these programs. | + | | | Files destined for the | + | | | temporary directory are | + | | | guaranteed to be in place | + | | | before any executable file is | + | | | run; they are not | + | | | deleted until all | + | | | executable files have | + | | | finished. | + | | | AbsolutePath specifies the | + | | | destination directory of the | + | | | file as an | + | | | absolute path. | + | | | Executable specifies that | + | | | the file is to be executed | + | | | during the course of | + | | | the installation. | + | | | Typically, this string is used | + | | | for a setup program | + | | | provided by a module | + | | | vendor, such as a | + | | | self-extracting setup | + | | | executable. | + | | | More than one file can be | + | | | specified as executable, in | + | | | which case the files | + | | | are run in the order in | + | | | which they are specified in | + | | | the script file. | + | | | FilePermissions sets | + | | | permissions on any referenced | + | | | files in a string of | + | | | octal digits, according to | + | | | the standard Unix format. This | + | | | string is a | + | | | bitwise OR. | + | | | user read: | + | | | 0400 | + | | | user write: | + | | | 0200 | + | | | user execute: | + | | | 0100 | + | | | group read: | + | | | 0040 | + | | | group write: | + | | | 0020 | + | | | group execute: | + | | | 0010 | + | | | other read: | + | | | 0004 | + | | | other write: | + | | | 0002 | + | | | other execute: 0001 | + | | | Some platforms may not | + | | | understand these permissions. | + | | | They are applied only | + | | | insofar as they make sense | + | | | for the current platform. If | + | | | this attribute is | + | | | omitted, a default of 777 | + | | | is assumed. | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | modutil -create -dbdir | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | certutil (1) | + | | | pk12util (1) | + | | | signtool (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. JAR Installation File | + | | | Format | + | | | | + | | | ``file:///tmp/xmlto.6gGxS0/ | + | | | modutil.pro...r-install-file`` | + | | | 2. | + | | | https://www.mozilla. | + | | | org/projects/security/pki/nss/ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 342 | :ref:`mozilla_projects_nss_t | | + | | ools_nss_tools_certutil-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 343 | :ref:`mozilla_projects | **certificates, x509v3** | + | | _nss_tools_nss_tools_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Certificate Database Tool | + | | | is a command-line utility that | + | | | can create and modify the | + | | | Netscape Communicator | + | | | ``cert8.db`` and | + | | | ``key3.db``\ database files. | + | | | It can also list, generate, | + | | | modify, or delete certificates | + | | | within the ``cert8.db``\ file | + | | | and create or change the | + | | | password, generate new public | + | | | and private key pairs, display | + | | | the contents of the key | + | | | database, or delete key pairs | + | | | within the ``key3.db`` file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 344 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The cmsutil command-line | + | | | utility uses the `S/MIME | + | | | Toolkit <../smime/>`__ to | + | | | perform basic operations, such | + | | | as encryption and decryption, | + | | | on `Cryptographic Message | + | | | Syntax (CMS) `__ | + | | | messages. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 345 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 346 | :ref:`mozilla_projects_n | | + | | ss_tools_nss_tools_dbck-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 347 | :ref:`mozilla_projects_nss_ | | + | | tools_nss_tools_modutil-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 348 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_modutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Security Module Database | + | | | Tool is a command-line utility | + | | | for managing PKCS #11 module | + | | | information within | + | | | ``secmod.db`` files or within | + | | | hardware tokens. You can use | + | | | the tool to add and delete | + | | | PKCS #11 modules, change | + | | | passwords, set defaults, list | + | | | module contents, enable or | + | | | disable slots, enable or | + | | | disable FIPS 140-2 compliance, | + | | | and assign default providers | + | | | for cryptographic operations. | + | | | This tool can also create | + | | | ``key3.db``, ``cert8.db``, and | + | | | ``secmod.db`` security | + | | | database files. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 349 | :ref:`mozilla_projects_nss_t | | + | | ools_nss_tools_pk12util-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 350 | :ref:`mozilla_projects | | + | | _nss_tools_nss_tools_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The PKCS #12 utility makes | + | | | sharing of certificates among | + | | | Enterprise server 3.x and any | + | | | server (Netscape products or | + | | | non-Netscape products) that | + | | | supports PKCS#12 possible. The | + | | | tool allows you to import | + | | | certificates and keys from | + | | | pkcs #12 files into NSS or | + | | | export them and also list | + | | | certificates and keys in such | + | | | files. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 351 | :ref:`mozilla_projects_nss_ | | + | | tools_nss_tools_signver-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 352 | :ref:`mozilla_projects_ns | | + | | s_tools_nss_tools_sslstrength` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A simple command-line client | + | | | which connects to an | + | | | SSL-server, and reports back | + | | | the encryption cipher and | + | | | strength used. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 353 | :ref:`mozilla_projec | | + | | ts_nss_tools_nss_tools_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The SSL Debugging Tool is an | + | | | SSL-aware command-line proxy. | + | | | It watches TCP connections and | + | | | displays the data going by. If | + | | | a connection is SSL, the data | + | | | display includes interpreted | + | | | SSL records and handshaking. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 354 | :ref:`mozill | | + | | a_projects_nss_tools_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | pk12util — Export and | + | | | import keys and certificate to | + | | | or from a PKCS #12 | + | | | file and the NSS database | + | | | Synopsis | + | | | pk12util [-i p12File [-h | + | | | tokenname] [-v] | + | | | [common-options] ] [ -l | + | | | p12File | + | | | [-h tokenname] [-r] | + | | | [common-options] ] [ -o | + | | | p12File -n certname [-c | + | | | keyCipher] [-C certCipher] | + | | | [-m|--key_len keyLen] | + | | | [-n|--cert_key_len | + | | | certKeyLen] | + | | | [common-options] ] [ | + | | | common-options are: [-d | + | | | [sql:]directory] | + | | | [-P dbprefix] [-k | + | | | slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] ] | + | | | Description | + | | | The PKCS #12 utility, | + | | | pk12util, enables sharing | + | | | certificates among any | + | | | server that supports | + | | | PKCS#12. The tool can import | + | | | certificates and keys | + | | | from PKCS#12 files into | + | | | security databases, export | + | | | certificates, and list | + | | | certificates and keys. | + | | | Options and Arguments | + | | | Options | + | | | -i p12file | + | | | Import keys and | + | | | certificates from a PKCS#12 | + | | | file into a security | + | | | database. | + | | | -l p12file | + | | | List the keys and | + | | | certificates in PKCS#12 file. | + | | | -o p12file | + | | | Export keys and | + | | | certificates from the security | + | | | database to a | + | | | PKCS#12 file. | + | | | Arguments | + | | | -n certname | + | | | Specify the | + | | | nickname of the cert and | + | | | private key to export. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory into which | + | | | to import to or export | + | | | from certificates | + | | | and keys. | + | | | pk12util supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -P prefix | + | | | Specify the prefix | + | | | used on the certificate and | + | | | key databases. This | + | | | option is provided | + | | | as a special case. Changing | + | | | the names of the | + | | | certificate and key | + | | | databases is not recommended. | + | | | -h tokenname | + | | | Specify the name of | + | | | the token to import into or | + | | | export from. | + | | | -v | + | | | Enable debug | + | | | logging when importing. | + | | | -k slotPasswordFile | + | | | Specify the text | + | | | file containing the slot's | + | | | password. | + | | | -K slotPassword | + | | | Specify the slot's | + | | | password. | + | | | -w p12filePasswordFile | + | | | Specify the text | + | | | file containing the pkcs #12 | + | | | file password. | + | | | -W p12filePassword | + | | | Specify the pkcs | + | | | #12 file password. | + | | | -c keyCipher | + | | | Specify the key | + | | | encryption algorithm. | + | | | -C certCipher | + | | | Specify the key | + | | | cert (overall package) | + | | | encryption algorithm. | + | | | -m \| --key-len keyLength | + | | | Specify the desired | + | | | length of the symmetric key to | + | | | be used to | + | | | encrypt the private | + | | | key. | + | | | -n \| --cert-key-len | + | | | certKeyLength | + | | | Specify the desired | + | | | length of the symmetric key to | + | | | be used to | + | | | encrypt the | + | | | certificates and other | + | | | meta-data. | + | | | -r | + | | | Dumps all of the | + | | | data in raw (binary) form. | + | | | This must be saved as | + | | | a DER file. The | + | | | default is to return | + | | | information in a pretty-print | + | | | ASCII format, which | + | | | displays the information about | + | | | the | + | | | certificates and | + | | | public keys in the p12 file. | + | | | Return Codes | + | | | o 0 - No error | + | | | o 1 - User Cancelled | + | | | o 2 - Usage error | + | | | o 6 - NLS init error | + | | | o 8 - Certificate DB open | + | | | error | + | | | o 9 - Key DB open error | + | | | o 10 - File | + | | | initialization error | + | | | o 11 - Unicode conversion | + | | | error | + | | | o 12 - Temporary file | + | | | creation error | + | | | o 13 - PKCS11 get slot | + | | | error | + | | | o 14 - PKCS12 decoder | + | | | start error | + | | | o 15 - error read from | + | | | import file | + | | | o 16 - pkcs12 decode | + | | | error | + | | | o 17 - pkcs12 decoder | + | | | verify error | + | | | o 18 - pkcs12 decoder | + | | | validate bags error | + | | | o 19 - pkcs12 decoder | + | | | import bags error | + | | | o 20 - key db conversion | + | | | version 3 to version 2 error | + | | | o 21 - cert db conversion | + | | | version 7 to version 5 error | + | | | o 22 - cert and key dbs | + | | | patch error | + | | | o 23 - get default cert | + | | | db error | + | | | o 24 - find cert by | + | | | nickname error | + | | | o 25 - create export | + | | | context error | + | | | o 26 - PKCS12 add | + | | | password itegrity error | + | | | o 27 - cert and key Safes | + | | | creation error | + | | | o 28 - PKCS12 add cert | + | | | and key error | + | | | o 29 - PKCS12 encode | + | | | error | + | | | Examples | + | | | Importing Keys and | + | | | Certificates | + | | | The most basic usage of | + | | | pk12util for importing a | + | | | certificate or key is the | + | | | PKCS#12 input file (-i) and | + | | | some way to specify the | + | | | security database | + | | | being accessed (either -d | + | | | for a directory or -h for a | + | | | token). | + | | | pk12util -i p12File [-h | + | | | tokenname] [-v] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example: | + | | | # pk12util -i | + | | | /tmp/cert-files/users.p12 -d | + | | | sql:/home/my/sharednssdb | + | | | Enter a password which will | + | | | be used to encrypt your keys. | + | | | The password should be at | + | | | least 8 characters long, | + | | | and should contain at least | + | | | one non-alphabetic character. | + | | | Enter new password: | + | | | Re-enter password: | + | | | Enter password for PKCS12 | + | | | file: | + | | | pk12util: PKCS12 IMPORT | + | | | SUCCESSFUL | + | | | Exporting Keys and | + | | | Certificates | + | | | Using the pk12util command | + | | | to export certificates and | + | | | keys requires both | + | | | the name of the certificate | + | | | to extract from the database | + | | | (-n) and the | + | | | PKCS#12-formatted output | + | | | file to write to. There are | + | | | optional parameters | + | | | that can be used to encrypt | + | | | the file to protect the | + | | | certificate material. | + | | | pk12util -o p12File -n | + | | | certname [-c keyCipher] [-C | + | | | certCipher] [-m|--key_len | + | | | keyLen] [-n|--cert_key_len | + | | | certKeyLen] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example: | + | | | # pk12util -o certs.p12 -n | + | | | Server-Cert -d | + | | | sql:/home/my/sharednssdb | + | | | Enter password for PKCS12 | + | | | file: | + | | | Re-enter password: | + | | | Listing Keys and | + | | | Certificates | + | | | The information in a .p12 | + | | | file are not human-readable. | + | | | The certificates | + | | | and keys in the file can be | + | | | printed (listed) in a | + | | | human-readable | + | | | pretty-print format that | + | | | shows information for every | + | | | certificate and any | + | | | public keys in the .p12 | + | | | file. | + | | | pk12util -l p12File [-h | + | | | tokenname] [-r] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example, this prints | + | | | the default ASCII output: | + | | | # pk12util -l certs.p12 | + | | | Enter password for PKCS12 | + | | | file: | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | + | | | Freemail Member's Thawte | + | | | Consulting (Pty) Ltd. ID | + | | | Encryption algorithm: | + | | | PKCS #12 V2 PBE With SHA-1 And | + | | | 3KEY Triple DES-CBC | + | | | Parameters: | + | | | Salt: | + | | | | + | | | 45:2e:6a:a0:03:4d | + | | | :7b:a1:63:3c:15:ea:67:37:62:1f | + | | | Iteration Count: | + | | | 1 (0x1) | + | | | Certificate: | + | | | Data: | + | | | Version: 3 (0x2) | + | | | Serial Number: 13 | + | | | (0xd) | + | | | Signature Algorithm: | + | | | PKCS #1 SHA-1 With RSA | + | | | Encryption | + | | | Issuer: | + | | | "E=personal | + | | | -freemail@thawte.com,CN=Thawte | + | | | Personal Freemail C | + | | | | + | | | A,OU=Certification Services | + | | | Division,O=Thawte | + | | | Consulting,L=Cape T | + | | | own,ST=Western | + | | | Cape,C=ZA" | + | | | .... | + | | | Alternatively, the -r | + | | | prints the certificates and | + | | | then exports them into | + | | | separate DER binary files. | + | | | This allows the certificates | + | | | to be fed to | + | | | another application that | + | | | supports .p12 files. Each | + | | | certificate is written | + | | | to a sequentially-number | + | | | file, beginning with | + | | | file0001.der and continuing | + | | | through file000N.der, | + | | | incrementing the number for | + | | | every certificate: | + | | | # pk12util -l test.p12 -r | + | | | Enter password for PKCS12 | + | | | file: | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | + | | | Freemail Member's Thawte | + | | | Consulting (Pty) Ltd. ID | + | | | Encryption algorithm: | + | | | PKCS #12 V2 PBE With SHA-1 And | + | | | 3KEY Triple DES-CBC | + | | | Parameters: | + | | | Salt: | + | | | | + | | | 45:2e:6a:a0:03:4d | + | | | :7b:a1:63:3c:15:ea:67:37:62:1f | + | | | Iteration Count: | + | | | 1 (0x1) | + | | | Certificate Friendly Name: | + | | | Thawte Personal Freemail | + | | | Issuing CA - Thawte Consulting | + | | | Certificate Friendly Name: | + | | | Thawte Freemail Member's | + | | | Thawte Consulting (Pty) Ltd. | + | | | ID | + | | | Password Encryption | + | | | PKCS#12 provides for not | + | | | only the protection of the | + | | | private keys but also | + | | | the certificate and | + | | | meta-data associated with the | + | | | keys. Password-based | + | | | encryption is used to | + | | | protect private keys on export | + | | | to a PKCS#12 file | + | | | and, optionally, the entire | + | | | package. If no algorithm is | + | | | specified, the | + | | | tool defaults to using | + | | | PKCS12 V2 PBE with SHA1 and | + | | | 3KEY Triple DES-cbc for | + | | | private key encryption. | + | | | PKCS12 V2 PBE with SHA1 and 40 | + | | | Bit RC4 is the | + | | | default for the overall | + | | | package encryption when not in | + | | | FIPS mode. When in | + | | | FIPS mode, there is no | + | | | package encryption. | + | | | The private key is always | + | | | protected with strong | + | | | encryption by default. | + | | | Several types of ciphers | + | | | are supported. | + | | | Symmetric CBC ciphers for | + | | | PKCS#5 V2 | + | | | DES_CBC | + | | | o RC2-CBC | + | | | o RC5-CBCPad | + | | | o DES-EDE3-CBC | + | | | (the default for key | + | | | encryption) | + | | | o AES-128-CBC | + | | | o AES-192-CBC | + | | | o AES-256-CBC | + | | | | + | | | o CAMELLIA-128-CBC | + | | | | + | | | o CAMELLIA-192-CBC | + | | | | + | | | o CAMELLIA-256-CBC | + | | | PKCS#12 PBE ciphers | + | | | PKCS #12 PBE with | + | | | Sha1 and 128 Bit RC4 | + | | | o PKCS #12 PBE | + | | | with Sha1 and 40 Bit RC4 | + | | | o PKCS #12 PBE | + | | | with Sha1 and Triple DES CBC | + | | | o PKCS #12 PBE | + | | | with Sha1 and 128 Bit RC2 CBC | + | | | o PKCS #12 PBE | + | | | with Sha1 and 40 Bit RC2 CBC | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 128 Bit RC4 | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 40 Bit RC4 (the | + | | | default for | + | | | non-FIPS mode) | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 3KEY Triple | + | | | DES-cbc | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 2KEY Triple | + | | | DES-cbc | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 128 Bit RC2 CBC | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 40 Bit RC2 CBC | + | | | PKCS#5 PBE ciphers | + | | | PKCS #5 Password | + | | | Based Encryption with MD2 and | + | | | DES CBC | + | | | o PKCS #5 | + | | | Password Based Encryption with | + | | | MD5 and DES CBC | + | | | o PKCS #5 | + | | | Password Based Encryption with | + | | | SHA1 and DES CBC | + | | | With PKCS#12, the crypto | + | | | provider may be the soft token | + | | | module or an | + | | | external hardware module. | + | | | If the cryptographic module | + | | | does not support the | + | | | requested algorithm, then | + | | | the next best fit will be | + | | | selected (usually the | + | | | default). If no suitable | + | | | replacement for the desired | + | | | algorithm can be | + | | | found, the tool returns the | + | | | error no security module can | + | | | perform the | + | | | requested operation. | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | # pk12util -i | + | | | /tmp/cert-files/users.p12 -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | certutil (1) | + | | | modutil (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 355 | :ref:`mozill | | + | | a_projects_nss_tools_signtool` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | signtool — Digitally sign | + | | | objects and files. | + | | | Synopsis | + | | | signtool [-k keyName] | + | | | `-h <-h>`__ `-H <-H>`__ | + | | | `-l <-l>`__ `-L <-L>`__ | + | | | `-M <-M>`__ `-v <-v>`__ | + | | | `-w <-w>`__ | + | | | `-G | + | | | nickname <-G_nickname>`__ `-s | + | | | size <--keysize>`__ `-b | + | | | basename <-b_basename>`__ [[-c | + | | | Compression | + | | | Level] ] [[-d cert-dir] ] | + | | | [[-i installer script] ] [[-m | + | | | metafile] ] [[-x | + | | | name] ] [[-f filename] ] | + | | | [[-t|--token tokenname] ] [[-e | + | | | extension] ] [[-o] | + | | | ] [[-z] ] [[-X] ] | + | | | [[--outfile] ] [[--verbose | + | | | value] ] [[--norecurse] ] | + | | | [[--leavearc] ] [[-j | + | | | directory] ] [[-Z jarfile] ] | + | | | [[-O] ] [[-p password] ] | + | | | [directory-tree] [archive] | + | | | Description | + | | | The Signing Tool, signtool, | + | | | creates digital signatures and | + | | | uses a Java | + | | | Archive (JAR) file to | + | | | associate the signatures with | + | | | files in a directory. | + | | | Electronic software | + | | | distribution over any network | + | | | involves potential | + | | | security problems. To help | + | | | address some of these | + | | | problems, you can | + | | | associate digital | + | | | signatures with the files in a | + | | | JAR archive. Digital | + | | | signatures allow | + | | | SSL-enabled clients to perform | + | | | two important operations: | + | | | \* Confirm the identity of | + | | | the individual, company, or | + | | | other entity whose | + | | | digital signature is | + | | | associated with the files | + | | | \* Check whether the files | + | | | have been tampered with since | + | | | being signed | + | | | If you have a signing | + | | | certificate, you can use | + | | | Netscape Signing Tool to | + | | | digitally sign files and | + | | | package them as a JAR file. An | + | | | object-signing | + | | | certificate is a special | + | | | kind of certificate that | + | | | allows you to associate | + | | | your digital signature with | + | | | one or more files. | + | | | An individual file can | + | | | potentially be signed with | + | | | multiple digital | + | | | signatures. For example, a | + | | | commercial software developer | + | | | might sign the | + | | | files that constitute a | + | | | software product to prove that | + | | | the files are | + | | | indeed from a particular | + | | | company. A network | + | | | administrator manager might | + | | | sign the same files with an | + | | | additional digital signature | + | | | based on a | + | | | company-generated | + | | | certificate to indicate that | + | | | the product is approved for | + | | | use within the company. | + | | | The significance of a | + | | | digital signature is | + | | | comparable to the significance | + | | | of a handwritten signature. | + | | | Once you have signed a file, | + | | | it is difficult | + | | | to claim later that you | + | | | didn't sign it. In some | + | | | situations, a digital | + | | | signature may be considered | + | | | as legally binding as a | + | | | handwritten signature. | + | | | Therefore, you should take | + | | | great care to ensure that you | + | | | can stand behind | + | | | any file you sign and | + | | | distribute. | + | | | For example, if you are a | + | | | software developer, you should | + | | | test your code to | + | | | make sure it is virus-free | + | | | before signing it. Similarly, | + | | | if you are a | + | | | network administrator, you | + | | | should make sure, before | + | | | signing any code, that | + | | | it comes from a reliable | + | | | source and will run correctly | + | | | with the software | + | | | installed on the machines | + | | | to which you are distributing | + | | | it. | + | | | Before you can use Netscape | + | | | Signing Tool to sign files, | + | | | you must have an | + | | | object-signing certificate, | + | | | which is a special certificate | + | | | whose | + | | | associated private key is | + | | | used to create digital | + | | | signatures. For testing | + | | | purposes only, you can | + | | | create an object-signing | + | | | certificate with Netscape | + | | | Signing Tool 1.3. When | + | | | testing is finished and you | + | | | are ready to | + | | | disitribute your software, | + | | | you should obtain an | + | | | object-signing certificate | + | | | from one of two kinds of | + | | | sources: | + | | | \* An independent | + | | | certificate authority (CA) | + | | | that authenticates your | + | | | identity and charges you a | + | | | fee. You typically get a | + | | | certificate from an | + | | | independent CA if you want | + | | | to sign software that will be | + | | | distributed over | + | | | the Internet. | + | | | \* CA server software | + | | | running on your corporate | + | | | intranet or extranet. | + | | | Netscape Certificate | + | | | Management System provides a | + | | | complete management | + | | | solution for creating, | + | | | deploying, and managing | + | | | certificates, including CAs | + | | | that issue object-signing | + | | | certificates. | + | | | You must also have a | + | | | certificate for the CA that | + | | | issues your signing | + | | | certificate before you can | + | | | sign files. If the certificate | + | | | authority's | + | | | certificate isn't already | + | | | installed in your copy of | + | | | Communicator, you | + | | | typically install it by | + | | | clicking the appropriate link | + | | | on the certificate | + | | | authority's web site, for | + | | | example on the page from which | + | | | you initiated | + | | | enrollment for your signing | + | | | certificate. This is the case | + | | | for some test | + | | | certificates, as well as | + | | | certificates issued by | + | | | Netscape Certificate | + | | | Management System: you must | + | | | download the CA certificate in | + | | | addition to | + | | | obtaining your own signing | + | | | certificate. CA certificates | + | | | for several | + | | | certificate authorities are | + | | | preinstalled in the | + | | | Communicator certificate | + | | | database. | + | | | When you receive an | + | | | object-signing certificate for | + | | | your own use, it is | + | | | automatically installed in | + | | | your copy of the Communicator | + | | | client software. | + | | | Communicator supports the | + | | | public-key cryptography | + | | | standard known as PKCS | + | | | #12, which governs key | + | | | portability. You can, for | + | | | example, move an | + | | | object-signing certificate | + | | | and its associated private key | + | | | from one | + | | | computer to another on a | + | | | credit-card-sized device | + | | | called a smart card. | + | | | Options | + | | | -b basename | + | | | Specifies the base | + | | | filename for the .rsa and .sf | + | | | files in the | + | | | META-INF directory | + | | | to conform with the JAR | + | | | format. For example, -b | + | | | signatures causes | + | | | the files to be named | + | | | signatures.rsa and | + | | | signatures.sf. The | + | | | default is signtool. | + | | | -c# | + | | | Specifies the | + | | | compression level for the -J | + | | | or -Z option. The | + | | | symbol # represents | + | | | a number from 0 to 9, where 0 | + | | | means no | + | | | compression and 9 | + | | | means maximum compression. The | + | | | higher the level | + | | | of compression, the | + | | | smaller the output but the | + | | | longer the | + | | | operation takes. If | + | | | the -c# option is not used | + | | | with either the -J | + | | | or the -Z option, | + | | | the default compression value | + | | | used by both the | + | | | -J and -Z options | + | | | is 6. | + | | | -d certdir | + | | | Specifies your | + | | | certificate database | + | | | directory; that is, the | + | | | directory in which | + | | | you placed your key3.db and | + | | | cert7.db files. To | + | | | specify the current | + | | | directory, use "-d." | + | | | (including the period). | + | | | The Unix version of | + | | | signtool assumes ~/.netscape | + | | | unless told | + | | | otherwise. The NT | + | | | version of signtool always | + | | | requires the use of | + | | | the -d option to | + | | | specify where the database | + | | | files are located. | + | | | -e extension | + | | | Tells signtool to | + | | | sign only files with the given | + | | | extension; for | + | | | example, use | + | | | -e".class" to sign only Java | + | | | class files. Note that | + | | | with Netscape | + | | | Signing Tool version 1.1 and | + | | | later this option can | + | | | appear multiple | + | | | times on one command line, | + | | | making it possible to | + | | | specify multiple | + | | | file types or classes to | + | | | include. | + | | | -f commandfile | + | | | Specifies a text | + | | | file containing Netscape | + | | | Signing Tool options and | + | | | arguments in | + | | | keyword=value format. All | + | | | options and arguments can | + | | | be expressed | + | | | through this file. For more | + | | | information about the | + | | | syntax used with | + | | | this file, see "Tips and | + | | | Techniques". | + | | | -i scriptname | + | | | Specifies the name | + | | | of an installer script for | + | | | SmartUpdate. This | + | | | script installs | + | | | files from the JAR archive in | + | | | the local system | + | | | after SmartUpdate | + | | | has validated the digital | + | | | signature. For more | + | | | details, see the | + | | | description of -m that | + | | | follows. The -i option | + | | | provides a | + | | | straightforward way to provide | + | | | this information if you | + | | | don't need to | + | | | specify any metadata other | + | | | than an installer script. | + | | | -j directory | + | | | Specifies a special | + | | | JavaScript directory. This | + | | | option causes the | + | | | specified directory | + | | | to be signed and tags its | + | | | entries as inline | + | | | JavaScript. This | + | | | special type of entry does not | + | | | have to appear in | + | | | the JAR file | + | | | itself. Instead, it is located | + | | | in the HTML page | + | | | containing the | + | | | inline scripts. When you use | + | | | signtool -v, these | + | | | entries are | + | | | displayed with the string NOT | + | | | PRESENT. | + | | | -k key ... directory | + | | | Specifies the | + | | | nickname (key) of the | + | | | certificate you want to sign | + | | | with and signs the | + | | | files in the specified | + | | | directory. The directory | + | | | to sign is always | + | | | specified as the last | + | | | command-line argument. | + | | | Thus, it is | + | | | possible to write signtool -k | + | | | MyCert -d . signdir You | + | | | may have trouble if | + | | | the nickname contains a single | + | | | quotation mark. | + | | | To avoid problems, | + | | | escape the quotation mark | + | | | using the escape | + | | | conventions for | + | | | your platform. It's also | + | | | possible to use the -k | + | | | option without | + | | | signing any files or | + | | | specifying a directory. For | + | | | example, you can | + | | | use it with the -l option to | + | | | get detailed | + | | | information about a | + | | | particular signing | + | | | certificate. | + | | | -G nickname | + | | | Generates a new | + | | | private-public key pair and | + | | | corresponding | + | | | object-signing | + | | | certificate with the given | + | | | nickname. The newly | + | | | generated keys and | + | | | certificate are installed into | + | | | the key and | + | | | certificate | + | | | databases in the directory | + | | | specified by the -d option. | + | | | With the NT version | + | | | of Netscape Signing Tool, you | + | | | must use the -d | + | | | option with the -G | + | | | option. With the Unix version | + | | | of Netscape | + | | | Signing Tool, | + | | | omitting the -d option causes | + | | | the tool to install | + | | | the keys and | + | | | certificate in the | + | | | Communicator key and | + | | | certificate | + | | | databases. If you | + | | | are installing the keys and | + | | | certificate in the | + | | | Communicator | + | | | databases, you must exit | + | | | Communicator before using | + | | | this option; | + | | | otherwise, you risk corrupting | + | | | the databases. In all | + | | | cases, the | + | | | certificate is also output to | + | | | a file named x509.cacert, | + | | | which has the | + | | | MIME-type | + | | | application/x-x509-ca-cert. | + | | | Unlike | + | | | certificates | + | | | normally used to sign finished | + | | | code to be distributed | + | | | over a network, a | + | | | test certificate created with | + | | | -G is not signed | + | | | by a recognized | + | | | certificate authority. | + | | | Instead, it is self-signed. | + | | | In addition, a | + | | | single test signing | + | | | certificate functions as both | + | | | an object-signing | + | | | certificate and a CA. When you | + | | | are using it to | + | | | sign objects, it | + | | | behaves like an object-signing | + | | | certificate. When | + | | | it is imported into | + | | | browser software such as | + | | | Communicator, it | + | | | behaves like an | + | | | object-signing CA and cannot | + | | | be used to sign | + | | | objects. The -G | + | | | option is available in | + | | | Netscape Signing Tool 1.0 | + | | | and later versions | + | | | only. By default, it produces | + | | | only RSA | + | | | certificates with | + | | | 1024-byte keys in the internal | + | | | token. However, | + | | | you can use the -s | + | | | option specify the required | + | | | key size and the -t | + | | | option to specify | + | | | the token. For more | + | | | information about the use of | + | | | the -G option, see | + | | | "Generating Test | + | | | Object-Signing | + | | | | + | | | Certificates""Generating Test | + | | | Object-Signing Certificates" | + | | | on page | + | | | 1241. | + | | | -l | + | | | Lists signing | + | | | certificates, including | + | | | issuing CAs. If any of your | + | | | certificates are | + | | | expired or invalid, the list | + | | | will so specify. | + | | | This option can be | + | | | used with the -k option to | + | | | list detailed | + | | | information about a | + | | | particular signing | + | | | certificate. The -l option | + | | | is available in | + | | | Netscape Signing Tool 1.0 and | + | | | later versions only. | + | | | -J | + | | | Signs a directory | + | | | of HTML files containing | + | | | JavaScript and creates | + | | | as many archive | + | | | files as are specified in the | + | | | HTML tags. Even if | + | | | signtool creates | + | | | more than one archive file, | + | | | you need to supply | + | | | the key database | + | | | password only once. The -J | + | | | option is available | + | | | only in Netscape | + | | | Signing Tool 1.0 and later | + | | | versions. The -J | + | | | option cannot be | + | | | used at the same time as the | + | | | -Z option. If the | + | | | -c# option is not | + | | | used with the -J option, the | + | | | default compression | + | | | value is 6. Note | + | | | that versions 1.1 and later of | + | | | Netscape Signing | + | | | Tool correctly | + | | | recognizes the CODEBASE | + | | | attribute, allows paths to | + | | | be expressed for | + | | | the CLASS and SRC attributes | + | | | instead of filenames | + | | | only, processes | + | | | LINK tags and parses HTML | + | | | correctly, and offers | + | | | clearer error | + | | | messages. | + | | | -L | + | | | Lists the | + | | | certificates in your database. | + | | | An asterisk appears to | + | | | the left of the | + | | | nickname for any certificate | + | | | that can be used to | + | | | sign objects with | + | | | signtool. | + | | | --leavearc | + | | | Retains the | + | | | temporary .arc (archive) | + | | | directories that the -J | + | | | option creates. | + | | | These directories are | + | | | automatically erased by | + | | | default. Retaining | + | | | the temporary directories can | + | | | be an aid to | + | | | debugging. | + | | | -m metafile | + | | | Specifies the name | + | | | of a metadata control file. | + | | | Metadata is signed | + | | | information | + | | | attached either to the JAR | + | | | archive itself or to files | + | | | within the archive. | + | | | This metadata can be any ASCII | + | | | string, but is | + | | | used mainly for | + | | | specifying an installer | + | | | script. The metadata file | + | | | contains one entry | + | | | per line, each with three | + | | | fields: field #1: | + | | | file specification, | + | | | or + if you want to specify | + | | | global metadata | + | | | (that is, metadata | + | | | about the JAR archive itself | + | | | or all entries in | + | | | the archive) field | + | | | #2: the name of the data you | + | | | are specifying; | + | | | for example: | + | | | Install-Script field #3: data | + | | | corresponding to the | + | | | name in field #2 | + | | | For example, the -i option | + | | | uses the equivalent of | + | | | this line: + | + | | | Install-Script: script.js This | + | | | example associates a | + | | | MIME type with a | + | | | file: movie.qt MIME-Type: | + | | | video/quicktime For | + | | | information about | + | | | the way installer script | + | | | information appears in | + | | | the manifest file | + | | | for a JAR archive, see The JAR | + | | | Format on | + | | | Netscape DevEdge. | + | | | -M | + | | | Lists the PKCS #11 | + | | | modules available to signtool, | + | | | including smart | + | | | cards. The -M | + | | | option is available in | + | | | Netscape Signing Tool 1.0 and | + | | | later versions | + | | | only. For information on using | + | | | Netscape Signing | + | | | Tool with smart | + | | | cards, see "Using Netscape | + | | | Signing Tool with Smart | + | | | Cards". For | + | | | information on using the -M | + | | | option to verify | + | | | FIPS-140-1 | + | | | validated mode, see "Netscape | + | | | Signing Tool and | + | | | FIPS-140-1". | + | | | --norecurse | + | | | Blocks recursion | + | | | into subdirectories when | + | | | signing a directory's | + | | | contents or when | + | | | parsing HTML. | + | | | -o | + | | | Optimizes the | + | | | archive for size. Use this | + | | | only if you are signing | + | | | very large archives | + | | | containing hundreds of files. | + | | | This option | + | | | makes the manifest | + | | | files (required by the JAR | + | | | format) considerably | + | | | smaller, but they | + | | | contain slightly less | + | | | information. | + | | | --outfile outputfile | + | | | Specifies a file to | + | | | receive redirected output from | + | | | Netscape | + | | | Signing Tool. | + | | | -p password | + | | | Specifies a | + | | | password for the private-key | + | | | database. Note that the | + | | | password entered on | + | | | the command line is displayed | + | | | as plain text. | + | | | -s keysize | + | | | Specifies the size | + | | | of the key for generated | + | | | certificate. Use the | + | | | -M option to find | + | | | out what tokens are available. | + | | | The -s option can | + | | | be used with the -G | + | | | option only. | + | | | -t token | + | | | Specifies which | + | | | available token should | + | | | generate the key and | + | | | receive the | + | | | certificate. Use the -M option | + | | | to find out what tokens | + | | | are available. The | + | | | -t option can be used with the | + | | | -G option only. | + | | | -v archive | + | | | Displays the | + | | | contents of an archive and | + | | | verifies the cryptographic | + | | | integrity of the | + | | | digital signatures it contains | + | | | and the files with | + | | | which they are | + | | | associated. This includes | + | | | checking that the | + | | | certificate for the | + | | | issuer of the object-signing | + | | | certificate is | + | | | listed in the | + | | | certificate database, that the | + | | | CA's digital | + | | | signature on the | + | | | object-signing certificate is | + | | | valid, that the | + | | | relevant | + | | | certificates have not expired, | + | | | and so on. | + | | | --verbosity value | + | | | Sets the quantity | + | | | of information Netscape | + | | | Signing Tool generates | + | | | in operation. A | + | | | value of 0 (zero) is the | + | | | default and gives full | + | | | information. A | + | | | value of -1 suppresses most | + | | | messages, but not error | + | | | messages. | + | | | -w archive | + | | | Displays the names | + | | | of signers of any files in the | + | | | archive. | + | | | -x directory | + | | | Excludes the | + | | | specified directory from | + | | | signing. Note that with | + | | | Netscape Signing | + | | | Tool version 1.1 and later | + | | | this option can appear | + | | | multiple times on | + | | | one command line, making it | + | | | possible to specify | + | | | several particular | + | | | directories to exclude. | + | | | -z | + | | | Tells signtool not | + | | | to store the signing time in | + | | | the digital | + | | | signature. This | + | | | option is useful if you want | + | | | the expiration date | + | | | of the signature | + | | | checked against the current | + | | | date and time rather | + | | | than the time the | + | | | files were signed. | + | | | -Z jarfile | + | | | Creates a JAR file | + | | | with the specified name. You | + | | | must specify this | + | | | option if you want | + | | | signtool to create the JAR | + | | | file; it does not do | + | | | so automatically. | + | | | If you don't specify -Z, you | + | | | must use an | + | | | external ZIP tool | + | | | to create the JAR file. The -Z | + | | | option cannot be | + | | | used at the same | + | | | time as the -J option. If the | + | | | -c# option is not | + | | | used with the -Z | + | | | option, the default | + | | | compression value is 6. | + | | | The Command File Format | + | | | Entries in a Netscape | + | | | Signing Tool command file have | + | | | this general format: | + | | | keyword=value Everything | + | | | before the = sign on a single | + | | | line is a keyword, | + | | | and everything from the = | + | | | sign to the end of line is a | + | | | value. The value | + | | | may include = signs; only | + | | | the first = sign on a line is | + | | | interpreted. Blank | + | | | lines are ignored, but | + | | | white space on a line with | + | | | keywords and values is | + | | | assumed to be part of the | + | | | keyword (if it comes before | + | | | the equal sign) or | + | | | part of the value (if it | + | | | comes after the first equal | + | | | sign). Keywords are | + | | | case insensitive, values | + | | | are generally case sensitive. | + | | | Since the = sign | + | | | and newline delimit the | + | | | value, it should not be | + | | | quoted. | + | | | Subsection | + | | | basename | + | | | Same as -b option. | + | | | compression | + | | | Same as -c option. | + | | | certdir | + | | | Same as -d option. | + | | | extension | + | | | Same as -e option. | + | | | generate | + | | | Same as -G option. | + | | | installscript | + | | | Same as -i option. | + | | | javascriptdir | + | | | Same as -j option. | + | | | htmldir | + | | | Same as -J option. | + | | | certname | + | | | Nickname of | + | | | certificate, as with -k and -l | + | | | -k options. | + | | | signdir | + | | | The directory to be | + | | | signed, as with -k option. | + | | | list | + | | | Same as -l option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | listall | + | | | Same as -L option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | metafile | + | | | Same as -m option. | + | | | modules | + | | | Same as -M option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | optimize | + | | | Same as -o option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | password | + | | | Same as -p option. | + | | | keysize | + | | | Same as -s option. | + | | | token | + | | | Same as -t option. | + | | | verify | + | | | Same as -v option. | + | | | who | + | | | Same as -w option. | + | | | exclude | + | | | Same as -x option. | + | | | notime | + | | | Same as -z option. | + | | | value is ignored, but = sign | + | | | must be present. | + | | | jarfile | + | | | Same as -Z option. | + | | | outfile | + | | | Name of a file to | + | | | which output and error | + | | | messages will be | + | | | redirected. This | + | | | option has no command-line | + | | | equivalent. | + | | | Extended Examples | + | | | The following example will | + | | | do this and that | + | | | Listing Available Signing | + | | | Certificates | + | | | You use the -L option to | + | | | list the nicknames for all | + | | | available certificates | + | | | and check which ones are | + | | | signing certificates. | + | | | signtool -L | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | S Certificates | + | | | - ------------ | + | | | BBN Certificate Services CA | + | | | Root 1 | + | | | IBM World Registry CA | + | | | VeriSign Class 1 CA - | + | | | Individual Subscriber - | + | | | VeriSign, Inc. | + | | | GTE CyberTrust Root CA | + | | | Uptime Group Plc. Class 4 | + | | | CA | + | | | \* Verisign Object Signing | + | | | Cert | + | | | Integrion CA | + | | | GTE CyberTrust Secure | + | | | Server CA | + | | | AT&T Directory Services | + | | | \* test object signing cert | + | | | Uptime Group Plc. Class 1 | + | | | CA | + | | | VeriSign Class 1 Primary CA | + | | | - ------------ | + | | | Certificates that can be used | + | | | to sign objects have \*'s to | + | | | their left. | + | | | Two signing certificates | + | | | are displayed: Verisign Object | + | | | Signing Cert and | + | | | test object signing cert. | + | | | You use the -l option to | + | | | get a list of signing | + | | | certificates only, | + | | | including the signing CA | + | | | for each. | + | | | signtool -l | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | Object signing certificates | + | | | --------- | + | | | ------------------------------ | + | | | Verisign Object Signing Cert | + | | | Issued by: VeriSign, Inc. | + | | | - Verisign, Inc. | + | | | Expires: Tue May 19, 1998 | + | | | test object signing cert | + | | | Issued by: test object | + | | | signing cert (Signtool 1.0 | + | | | Testing | + | | | Certificate (960187691)) | + | | | Expires: Sun May 17, 1998 | + | | | --------- | + | | | ------------------------------ | + | | | For a list including CAs, | + | | | use the -L option. | + | | | Signing a File | + | | | 1. Create an empty | + | | | directory. | + | | | mkdir signdir | + | | | 2. Put some file into it. | + | | | echo boo > signdir/test.f | + | | | 3. Specify the name of your | + | | | object-signing certificate and | + | | | sign the | + | | | directory. | + | | | signtool -k MySignCert -Z | + | | | testjar.jar signdir | + | | | using key "MySignCert" | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | Generating | + | | | signdir/META-INF/manifest.mf | + | | | file.. | + | | | --> test.f | + | | | adding signdir/test.f to | + | | | testjar.jar | + | | | Generating signtool.sf file.. | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | adding | + | | | signdir/META-INF/manifest.mf | + | | | to testjar.jar | + | | | adding | + | | | signdir/META-INF/signtool.sf | + | | | to testjar.jar | + | | | adding | + | | | signdir/META-INF/signtool.rsa | + | | | to testjar.jar | + | | | tree "signdir" signed | + | | | successfully | + | | | 4. Test the archive you | + | | | just created. | + | | | signtool -v testjar.jar | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | archive "testjar.jar" has | + | | | passed crypto verification. | + | | | status path | + | | | ------------ | + | | | ------------------- | + | | | verified test.f | + | | | Using Netscape Signing Tool | + | | | with a ZIP Utility | + | | | To use Netscape Signing | + | | | Tool with a ZIP utility, you | + | | | must have the utility | + | | | in your path environment | + | | | variable. You should use the | + | | | zip.exe utility | + | | | rather than pkzip.exe, | + | | | which cannot handle long | + | | | filenames. You can use a | + | | | ZIP utility instead of the | + | | | -Z option to package a signed | + | | | archive into a | + | | | JAR file after you have | + | | | signed it: | + | | | cd signdir | + | | | zip -r ../myjar.jar \* | + | | | adding: META-INF/ (stored | + | | | 0%) | + | | | adding: | + | | | META-INF/manifest.mf (deflated | + | | | 15%) | + | | | adding: | + | | | META-INF/signtool.sf (deflated | + | | | 28%) | + | | | adding: | + | | | META-INF/signtool.rsa (stored | + | | | 0%) | + | | | adding: text.txt (stored | + | | | 0%) | + | | | Generating the Keys and | + | | | Certificate | + | | | The signtool option -G | + | | | generates a new public-private | + | | | key pair and | + | | | certificate. It takes the | + | | | nickname of the new | + | | | certificate as an argument. | + | | | The newly generated keys | + | | | and certificate are installed | + | | | into the key and | + | | | certificate databases in | + | | | the directory specified by the | + | | | -d option. With | + | | | the NT version of Netscape | + | | | Signing Tool, you must use the | + | | | -d option with | + | | | the -G option. With the | + | | | Unix version of Netscape | + | | | Signing Tool, omitting | + | | | the -d option causes the | + | | | tool to install the keys and | + | | | certificate in the | + | | | Communicator key and | + | | | certificate databases. In all | + | | | cases, the certificate | + | | | is also output to a file | + | | | named x509.cacert, which has | + | | | the MIME-type | + | | | application/x-x509-ca-cert. | + | | | Certificates contain | + | | | standard information about the | + | | | entity they identify, | + | | | such as the common name and | + | | | organization name. Netscape | + | | | Signing Tool | + | | | prompts you for this | + | | | information when you run the | + | | | command with the -G | + | | | option. However, all of the | + | | | requested fields are optional | + | | | for test | + | | | certificates. If you do not | + | | | enter a common name, the tool | + | | | provides a | + | | | default name. In the | + | | | following example, the user | + | | | input is in boldface: | + | | | signtool -G MyTestCert | + | | | using certificate directory: | + | | | /u/someuser/.netscape | + | | | Enter certificate | + | | | information. All fields are | + | | | optional. Acceptable | + | | | characters are numbers, | + | | | letters, spaces, and | + | | | apostrophes. | + | | | certificate common name: Test | + | | | Object Signing Certificate | + | | | organization: Netscape | + | | | Communications Corp. | + | | | organization unit: Server | + | | | Products Division | + | | | state or province: California | + | | | country (must be exactly 2 | + | | | characters): US | + | | | username: someuser | + | | | email address: | + | | | someuser@netscape.com | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | [Password will not echo] | + | | | generated public/private key | + | | | pair | + | | | certificate request generated | + | | | certificate has been signed | + | | | certificate "MyTestCert" | + | | | added to database | + | | | Exported certificate to | + | | | x509.raw and x509.cacert. | + | | | The certificate information | + | | | is read from standard input. | + | | | Therefore, the | + | | | information can be read | + | | | from a file using the | + | | | redirection operator (<) in | + | | | some operating systems. To | + | | | create a file for this | + | | | purpose, enter each of | + | | | the seven input fields, in | + | | | order, on a separate line. | + | | | Make sure there is a | + | | | newline character at the | + | | | end of the last line. Then run | + | | | signtool with | + | | | standard input redirected | + | | | from your file as follows: | + | | | signtool -G MyTestCert | + | | | inputfile | + | | | The prompts show up on the | + | | | screen, but the responses will | + | | | be automatically | + | | | read from the file. The | + | | | password will still be read | + | | | from the console | + | | | unless you use the -p | + | | | option to give the password on | + | | | the command line. | + | | | Using the -M Option to List | + | | | Smart Cards | + | | | You can use the -M option | + | | | to list the PKCS #11 modules, | + | | | including smart | + | | | cards, that are available | + | | | to signtool: | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\username | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal | + | | | PKCS #11 Module | + | | | | + | | | (this module is internally | + | | | loaded) | + | | | | + | | | slots: 2 slots attached | + | | | | + | | | status: loaded | + | | | slot: Communicator | + | | | Internal Cryptographic | + | | | Services Version 4.0 | + | | | token: Communicator | + | | | Generic Crypto Svcs | + | | | slot: Communicator | + | | | User Private Key and | + | | | Certificate Services | + | | | token: Communicator | + | | | Certificate DB | + | | | 2. CryptOS | + | | | | + | | | (this is an external module) | + | | | DLL name: core32 | + | | | slots: 1 slots | + | | | attached | + | | | status: loaded | + | | | slot: Litronic 210 | + | | | token: | + | | | | + | | | ----------------- | + | | | ------------------------------ | + | | | Using Netscape Signing Tool | + | | | and a Smart Card to Sign Files | + | | | The signtool command | + | | | normally takes an argument of | + | | | the -k option to | + | | | specify a signing | + | | | certificate. To sign with a | + | | | smart card, you supply only | + | | | the fully qualified name of | + | | | the certificate. | + | | | To see fully qualified | + | | | certificate names when you run | + | | | Communicator, click | + | | | the Security button in | + | | | Navigator, then click Yours | + | | | under Certificates in | + | | | the left frame. Fully | + | | | qualified names are of the | + | | | format smart | + | | | card:certificate, for | + | | | example "MyCard:My Signing | + | | | Cert". You use this name | + | | | with the -k argument as | + | | | follows: | + | | | signtool -k "MyCard:My | + | | | Signing Cert" directory | + | | | Verifying FIPS Mode | + | | | Use the -M option to verify | + | | | that you are using the | + | | | FIPS-140-1 module. | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\jsmith | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal PKCS | + | | | #11 Module | + | | | (this module is | + | | | internally loaded) | + | | | slots: 2 slots | + | | | attached | + | | | status: loaded | + | | | slot: Communicator | + | | | Internal Cryptographic | + | | | Services Version 4.0 | + | | | token: Communicator | + | | | Generic Crypto Svcs | + | | | slot: Communicator User | + | | | Private Key and Certificate | + | | | Services | + | | | token: Communicator | + | | | Certificate DB | + | | | ----------------- | + | | | ------------------------------ | + | | | This Unix example shows | + | | | that Netscape Signing Tool is | + | | | using a FIPS-140-1 | + | | | module: | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\jsmith | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | [password will not echo] | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal FIPS | + | | | PKCS #11 Module | + | | | (this module is internally | + | | | loaded) | + | | | slots: 1 slots attached | + | | | status: loaded | + | | | slot: Netscape Internal | + | | | FIPS-140-1 Cryptographic | + | | | Services | + | | | token: Communicator | + | | | Certificate DB | + | | | ----------------- | + | | | ------------------------------ | + | | | See Also | + | | | signver (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 356 | :ref:`mozil | | + | | la_projects_nss_tools_signver` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | signver — Verify a detached | + | | | PKCS#7 signature for a file. | + | | | Synopsis | + | | | signtool -A \| -V -d | + | | | directory [-a] [-i input_file] | + | | | [-o output_file] [-s | + | | | signature_file] [-v] | + | | | Description | + | | | The Signature Verification | + | | | Tool, signver, is a simple | + | | | command-line utility | + | | | that unpacks a | + | | | base-64-encoded PKCS#7 signed | + | | | object and verifies the | + | | | digital signature using | + | | | standard cryptographic | + | | | techniques. The Signature | + | | | Verification Tool can also | + | | | display the contents of the | + | | | signed object. | + | | | Options | + | | | -A | + | | | Displays all of the | + | | | information in the PKCS#7 | + | | | signature. | + | | | -V | + | | | Verifies the | + | | | digital signature. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory which | + | | | contains the certificates and | + | | | keys. | + | | | signver supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -a | + | | | Sets that the given | + | | | signature file is in ASCII | + | | | format. | + | | | -i input_file | + | | | Gives the input | + | | | file for the object with | + | | | signed data. | + | | | -o output_file | + | | | Gives the output | + | | | file to which to write the | + | | | results. | + | | | -s signature_file | + | | | Gives the input | + | | | file for the digital | + | | | signature. | + | | | -v | + | | | Enables verbose | + | | | output. | + | | | Extended Examples | + | | | Verifying a Signature | + | | | The -V option verifies that | + | | | the signature in a given | + | | | signature file is | + | | | valid when used to sign the | + | | | given object (from the input | + | | | file). | + | | | signver -V -s signature_file | + | | | -i signed_file -d | + | | | sql:/home/my/sharednssdb | + | | | signatureValid=yes | + | | | Printing Signature Data | + | | | The -A option prints all of | + | | | the information contained in a | + | | | signature file. | + | | | Using the -o option prints | + | | | the signature file information | + | | | to the given | + | | | output file rather than | + | | | stdout. | + | | | signver -A -s signature_file | + | | | -o output_file | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | # signver -A -s signature -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | signtool (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | o Setting up the shared | + | | | NSS database | + | | | | + | | | https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | o Engineering and | + | | | technical information about | + | | | the shared NSS database | + | | | | + | | | https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 357 | :ref:`mozi | | + | | lla_projects_nss_tools_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | ssltap — Tap into SSL | + | | | connections and display the | + | | | data going by | + | | | Synopsis | + | | | libssltap [-vhfsxl] [-p | + | | | port] [hostname:port] | + | | | Description | + | | | The SSL Debugging Tool | + | | | ssltap is an SSL-aware | + | | | command-line proxy. It | + | | | watches TCP connections and | + | | | displays the data going by. If | + | | | a connection is | + | | | SSL, the data display | + | | | includes interpreted SSL | + | | | records and handshaking | + | | | Options | + | | | -v | + | | | Print a version | + | | | string for the tool. | + | | | -h | + | | | Turn on hex/ASCII | + | | | printing. Instead of | + | | | outputting raw data, the | + | | | command interprets | + | | | each record as a numbered line | + | | | of hex values, | + | | | followed by the | + | | | same data as ASCII characters. | + | | | The two parts are | + | | | separated by a | + | | | vertical bar. Nonprinting | + | | | characters are replaced | + | | | by dots. | + | | | -f | + | | | Turn on fancy | + | | | printing. Output is printed in | + | | | colored HTML. Data | + | | | sent from the | + | | | client to the server is in | + | | | blue; the server's reply | + | | | is in red. When | + | | | used with looping mode, the | + | | | different connections | + | | | are separated with | + | | | horizontal lines. You can use | + | | | this option to | + | | | upload the output | + | | | into a browser. | + | | | -s | + | | | Turn on SSL parsing | + | | | and decoding. The tool does | + | | | not automatically | + | | | detect SSL | + | | | sessions. If you are | + | | | intercepting an SSL | + | | | connection, | + | | | use this option so | + | | | that the tool can detect and | + | | | decode SSL | + | | | structures. | + | | | If the tool detects | + | | | a certificate chain, it saves | + | | | the DER-encoded | + | | | certificates into | + | | | files in the current | + | | | directory. The files are | + | | | named cert.0x, | + | | | where x is the sequence number | + | | | of the certificate. | + | | | If the -s option is | + | | | used with -h, two separate | + | | | parts are printed | + | | | for each record: | + | | | the plain hex/ASCII output, | + | | | and the parsed SSL | + | | | output. | + | | | -x | + | | | Turn on hex/ASCII | + | | | printing of undecoded data | + | | | inside parsed SSL | + | | | records. Used only | + | | | with the -s option. This | + | | | option uses the same | + | | | output format as | + | | | the -h option. | + | | | -l prefix | + | | | Turn on looping; | + | | | that is, continue to accept | + | | | connections rather | + | | | than stopping after | + | | | the first connection is | + | | | complete. | + | | | -p port | + | | | Change the default | + | | | rendezvous port (1924) to | + | | | another port. | + | | | The following are | + | | | well-known port numbers: | + | | | \* HTTP 80 | + | | | \* HTTPS 443 | + | | | \* SMTP 25 | + | | | \* FTP 21 | + | | | \* IMAP 143 | + | | | \* IMAPS 993 (IMAP | + | | | over SSL) | + | | | \* NNTP 119 | + | | | \* NNTPS 563 (NNTP | + | | | over SSL) | + | | | Usage and Examples | + | | | You can use the SSL | + | | | Debugging Tool to intercept | + | | | any connection | + | | | information. Although you | + | | | can run the tool at its most | + | | | basic by issuing | + | | | the ssltap command with no | + | | | options other than | + | | | hostname:port, the | + | | | information you get in this | + | | | way is not very useful. For | + | | | example, assume | + | | | your development machine is | + | | | called intercept. The simplest | + | | | way to use the | + | | | debugging tool is to | + | | | execute the following command | + | | | from a command shell: | + | | | $ ssltap www.netscape.com | + | | | The program waits for an | + | | | incoming connection on the | + | | | default port 1924. In | + | | | your browser window, enter | + | | | the URL http://intercept:1924. | + | | | The browser | + | | | retrieves the requested | + | | | page from the server at | + | | | www.netscape.com, but the | + | | | page is intercepted and | + | | | passed on to the browser by | + | | | the debugging tool on | + | | | intercept. On its way to | + | | | the browser, the data is | + | | | printed to the command | + | | | shell from which you issued | + | | | the command. Data sent from | + | | | the client to the | + | | | server is surrounded by the | + | | | following symbols: --> [ data | + | | | ] Data sent from | + | | | the server to the client is | + | | | surrounded by the following | + | | | symbols: "left | + | | | arrow"-- [ data ] The raw | + | | | data stream is sent to | + | | | standard output and is | + | | | not interpreted in any way. | + | | | This can result in peculiar | + | | | effects, such as | + | | | sounds, flashes, and even | + | | | crashes of the command shell | + | | | window. To output a | + | | | basic, printable | + | | | interpretation of the data, | + | | | use the -h option, or, if you | + | | | are looking at an SSL | + | | | connection, the -s option. You | + | | | will notice that the | + | | | page you retrieved looks | + | | | incomplete in the browser. | + | | | This is because, by | + | | | default, the tool closes | + | | | down after the first | + | | | connection is complete, so | + | | | the browser is not able to | + | | | load images. To make the tool | + | | | continue to | + | | | accept connections, switch | + | | | on looping mode with the -l | + | | | option. The | + | | | following examples show the | + | | | output from commonly used | + | | | combinations of | + | | | options. | + | | | Example 1 | + | | | $ ssltap.exe -sx -p 444 | + | | | interzone.mcom.com:443 > | + | | | sx.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | -->; [ | + | | | alloclen = 66 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 39 | + | | | (0x27) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x040080) | + | | | SSL2/RSA/RC2CBC40/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | (0x000006) | + | | | SSL3/RSA/RC2CBC40/MD5 | + | | | } | + | | | session-id = { } | + | | | challenge = { | + | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | + | | | 0x7b70 0x8fe9 0xd1d3 | + | | | 0x2592 } | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 03 | + | | | e5 | + | | | | + | | | \|..... | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | 0: 02 00 00 | + | | | 46 | + | | | | + | | | \|...F | + | | | type = 2 (server_hello) | + | | | length = 70 (0x000046) | + | | | ServerHello { | + | | | server_version = | + | | | {3, 0} | + | | | random = {...} | + | | | 0: 77 8c 6e 26 6c 0c ec | + | | | c0 d9 58 4f 47 d3 2d 01 45 | + | | | \| | + | | | wn&l.ì..XOG.-.E | + | | | 10: 5c 17 75 43 a7 4c 88 | + | | | c7 88 64 3c 50 41 48 4f 7f | + | | | \| | + | | | \.uC§L.Ç.d [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 44 | + | | | | + | | | \|....D | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | 0: 10 00 00 | + | | | 40 | + | | | | + | | | \|...@ | + | | | type = 16 | + | | | (client_key_exchange) | + | | | length = 64 (0x000040) | + | | | ClientKeyExchange { | + | | | message = {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | + | | | \|..... | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | + | | | \|. | + | | | } | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | + | | | \|....8 | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | + | | | \|..... | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | + | | | \|. | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | + | | | \|....8 | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted | + | | | > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 17 03 00 01 | + | | | 1f | + | | | | + | | | \|..... | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | a0 | + | | | | + | | | \|.... | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | df | + | | | | + | | | \|....ß | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | < encrypted > | + | | | } | + | | | SSLRecord { | + | | | 0: 15 03 00 00 | + | | | 12 | + | | | | + | | | \|..... | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 2 | + | | | The -s option turns on SSL | + | | | parsing. Because the -x option | + | | | is not used in | + | | | this example, undecoded | + | | | values are output as raw data. | + | | | The output is | + | | | routed to a text file. | + | | | $ ssltap -s -p 444 | + | | | interzone.mcom.com:443 > s.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 36 | + | | | (0x24) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | session-id = { | + | | | } | + | | | challenge = { | + | | | 0x713c 0x9338 0x30e1 0xf8d6 | + | | | 0xb934 0x7351 0x200c | + | | | 0x3fd0 } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | type = 2 | + | | | (server_hello) | + | | | length = 70 | + | | | (0x000046) | + | | | ServerHello { | + | | | server_version = | + | | | {3, 0} | + | | | random = {...} | + | | | session ID = { | + | | | length = 32 | + | | | contents = | + | | | {..} | + | | | } | + | | | cipher_suite = | + | | | (0x0003) SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | type = 11 | + | | | (certificate) | + | | | length = 709 | + | | | (0x0002c5) | + | | | CertificateChain | + | | | { | + | | | chainlength = | + | | | 706 (0x02c2) | + | | | Certificate { | + | | | size = 703 | + | | | (0x02bf) | + | | | data = { | + | | | saved in file 'cert.001' } | + | | | } | + | | | } | + | | | type = 12 | + | | | (server_key_exchange) | + | | | length = 202 | + | | | (0x0000ca) | + | | | type = 14 | + | | | (server_hello_done) | + | | | length = 0 | + | | | (0x000000) | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | type = 16 | + | | | (client_key_exchange) | + | | | length = 64 | + | | | (0x000040) | + | | | ClientKeyExchange | + | | | { | + | | | message = | + | | | {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | > encrypted > | + | | | } | + | | | SSLRecord { | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 3 | + | | | In this example, the -h | + | | | option turns hex/ASCII format. | + | | | There is no SSL | + | | | parsing or decoding. The | + | | | output is routed to a text | + | | | file. | + | | | $ ssltap -h -p 444 | + | | | interzone.mcom.com:443 > h.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | 0: 80 40 01 03 00 00 27 | + | | | 00 00 00 10 01 00 80 02 00 | + | | | \| .@....'......... | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | + | | | \| .........@...... | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 00 | + | | | \| ........á....... | + | | | 30: 00 06 9b fe 5b 56 96 | + | | | 49 1f 9f ca dd d5 ba b9 52 | + | | | \| ..þ[V.I.\xd9 ...º¹R | + | | | 40: 6f | + | | | 2d | + | | | | + | | | \|o- | + | | | ] | + | | | <-- [ | + | | | 0: 16 03 00 03 e5 02 00 | + | | | 00 46 03 00 7f e5 0d 1b 1d | + | | | \| ........F....... | + | | | 10: 68 7f 3a 79 60 d5 17 | + | | | 3c 1d 9c 96 b3 88 d2 69 3b | + | | | \| h.:y`..<..³.Òi; | + | | | 20: 78 e2 4b 8b a6 52 12 | + | | | 4b 46 e8 c2 20 14 11 89 05 | + | | | \| x.K.¦R.KFè. ... | + | | | 30: 4d 52 91 fd 93 e0 51 | + | | | 48 91 90 08 96 c1 b6 76 77 | + | | | \| MR.ý..QH.....¶vw | + | | | 40: 2a f4 00 08 a1 06 61 | + | | | a2 64 1f 2e 9b 00 03 00 0b | + | | | \| \*ô..¡.a¢d...... | + | | | 50: 00 02 c5 00 02 c2 00 | + | | | 02 bf 30 82 02 bb 30 82 02 | + | | | \| ..Å......0...0.. | + | | | 60: 24 a0 03 02 01 02 02 | + | | | 02 01 36 30 0d 06 09 2a 86 | + | | | \| $ .......60...*. | + | | | 70: 48 86 f7 0d 01 01 04 | + | | | 05 00 30 77 31 0b 30 09 06 | + | | | \| H.÷......0w1.0.. | + | | | 80: 03 55 04 06 13 02 55 | + | | | 53 31 2c 30 2a 06 03 55 04 | + | | | \| .U....US1,0*..U. | + | | | 90: 0a 13 23 4e 65 74 73 | + | | | 63 61 70 65 20 43 6f 6d 6d | + | | | \| ..#Netscape Comm | + | | | a0: 75 6e 69 63 61 74 69 | + | | | 6f 6e 73 20 43 6f 72 70 6f | + | | | \| unications Corpo | + | | | b0: 72 61 74 69 6f 6e 31 | + | | | 11 30 0f 06 03 55 04 0b 13 | + | | | \| ration1.0...U... | + | | | c0: 08 48 61 72 64 63 6f | + | | | 72 65 31 27 30 25 06 03 55 | + | | | \| .Hardcore1'0%..U | + | | | d0: 04 03 13 1e 48 61 72 | + | | | 64 63 6f 72 65 20 43 65 72 | + | | | \| ....Hardcore Cer | + | | | e0: 74 69 66 69 63 61 74 | + | | | 65 20 53 65 72 76 65 72 20 | + | | | \| tificate Server | + | | | f0: 49 49 30 1e 17 0d 39 | + | | | 38 30 35 31 36 30 31 30 33 | + | | | \| II0...9805160103 | + | | | | + | | | ] | + | | | | + | | | Server socket closed. | + | | | Example 4 | + | | | In this example, the -s | + | | | option turns on SSL parsing, | + | | | and the -h option | + | | | turns on hex/ASCII format. | + | | | Both formats are shown for | + | | | each record. The | + | | | output is routed to a text | + | | | file. | + | | | $ ssltap -hs -p 444 | + | | | interzone.mcom.com:443 > | + | | | hs.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | 0: 80 3d 01 03 00 00 24 | + | | | 00 00 00 10 01 00 80 02 00 | + | | | \| .=....$......... | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | + | | | \| .........@...... | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 03 | + | | | \| ........á....... | + | | | 30: 55 e6 e4 99 79 c7 d7 | + | | | 2c 86 78 96 5d b5 cf e9 | + | | | \|U..yÇ\xb0 ,.x.]µÏé | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 36 | + | | | (0x24) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x040080) | + | | | SSL2/RSA/RC2CBC40/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | session-id = { } | + | | | challenge = { | + | | | 0x0355 0xe6e4 0x9979 0xc7d7 | + | | | 0x2c86 0x7896 0x5db | + | | | 0xcfe9 } | + | | | } | + | | | ] | + | | | | + | | | Server socket closed. | + | | | Usage Tips | + | | | When SSL restarts a | + | | | previous session, it makes use | + | | | of cached information | + | | | to do a partial handshake. | + | | | If you wish to capture a full | + | | | SSL handshake, | + | | | restart the browser to | + | | | clear the session id cache. | + | | | If you run the tool on a | + | | | machine other than the SSL | + | | | server to which you | + | | | are trying to connect, the | + | | | browser will complain that the | + | | | host name you | + | | | are trying to connect to is | + | | | different from the | + | | | certificate. If you are | + | | | using the default BadCert | + | | | callback, you can still | + | | | connect through a | + | | | dialog. If you are not | + | | | using the default BadCert | + | | | callback, the one you | + | | | supply must allow for this | + | | | possibility. | + | | | See Also | + | | | The NSS Security Tools are | + | | | also documented at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [2]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [3]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozilla.org/p | + | | | rojects/secu.../pki/nss/tools | + | | | `__ | + | | | 2. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 3. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 358 | :ref:`mozill | | + | | a_projects_nss_tools_vfychain` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | vfychain — vfychain | + | | | [options] [revocation options] | + | | | certfile [[options] | + | | | certfile] ... | + | | | Synopsis | + | | | vfychain | + | | | Description | + | | | The verification Tool, | + | | | vfychain, verifies certificate | + | | | chains. modutil can | + | | | add and delete PKCS #11 | + | | | modules, change passwords on | + | | | security databases, | + | | | set defaults, list module | + | | | contents, enable or disable | + | | | slots, enable or | + | | | disable FIPS 140-2 | + | | | compliance, and assign default | + | | | providers for | + | | | cryptographic operations. | + | | | This tool can also create | + | | | certificate, key, and | + | | | module security database | + | | | files. | + | | | The tasks associated with | + | | | security module database | + | | | management are part of | + | | | a process that typically | + | | | also involves managing key | + | | | databases and | + | | | certificate databases. | + | | | Options | + | | | -a | + | | | the following | + | | | certfile is base64 encoded | + | | | -b YYMMDDHHMMZ | + | | | Validate date | + | | | (default: now) | + | | | -d directory | + | | | database directory | + | | | -f | + | | | Enable cert | + | | | fetching from AIA URL | + | | | -o oid | + | | | Set policy OID for | + | | | cert validation(Format | + | | | OID.1.2.3) | + | | | -p | + | | | Use PKIX Library to | + | | | validate certificate by | + | | | calling: | + | | | \* | + | | | CERT_VerifyCertificate if | + | | | specified once, | + | | | \* | + | | | CERT_PKIXVerifyCert if | + | | | specified twice and more. | + | | | -r | + | | | Following certfile | + | | | is raw binary DER (default) | + | | | -t | + | | | Following cert is | + | | | explicitly trusted (overrides | + | | | db trust) | + | | | -u usage | + | | | 0=SSL client, 1=SSL | + | | | server, 2=SSL StepUp, 3=SSL | + | | | CA, 4=Email | + | | | signer, 5=Email | + | | | recipient, 6=Object signer, | + | | | | + | | | 9=ProtectedObjectSigner, | + | | | 10=OCSP responder, 11=Any CA | + | | | -v | + | | | Verbose mode. | + | | | Prints root cert | + | | | subject(double the argument | + | | | for | + | | | whole root cert | + | | | info) | + | | | -w password | + | | | Database password | + | | | -W pwfile | + | | | Password file | + | | | Revocation options | + | | | for PKIX API (invoked with -pp | + | | | options) is a | + | | | collection of the | + | | | following flags: [-g type [-h | + | | | flags] [-m type | + | | | [-s flags]] ...] | + | | | ... | + | | | Where: | + | | | -g test-type | + | | | Sets status | + | | | checking test type. Possible | + | | | values are "leaf" or | + | | | "chain" | + | | | -g test type | + | | | Sets status | + | | | checking test type. Possible | + | | | values are "leaf" or | + | | | "chain". | + | | | -h test flags | + | | | Sets revocation | + | | | flags for the test type it | + | | | follows. Possible | + | | | flags: | + | | | "testLocalInfoFirst" and | + | | | "requireFreshInfo". | + | | | -m method type | + | | | Sets method type | + | | | for the test type it follows. | + | | | Possible types are | + | | | "crl" and "ocsp". | + | | | -s method flags | + | | | Sets revocation | + | | | flags for the method it | + | | | follows. Possible types | + | | | are "doNotUse", | + | | | "forbidFetching", | + | | | "ignoreDefaultSrc", | + | | | "requireInfo" and | + | | | "failIfNoInfo". | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ `__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | , Deon | + | | | Lackey | + | | | . | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ `__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 359 | :ref:`mozil | | + | | la_projects_nss_tools_vfyserv` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Coming soon | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 360 | :ref:`mozilla | **NSS** | + | | _projects_nss_troubleshooting` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | On this page, let's collect | + | | | information on how to | + | | | troubleshoot NSS at runtime. | + | | | Debugging tips, how to enable | + | | | tracing of the various | + | | | modules, etc. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 361 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_utility_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform initialization | + | | | tasks and other services. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst new file mode 100644 index 0000000000..b2010de17b --- /dev/null +++ b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst @@ -0,0 +1,162 @@ +.. _mozilla_projects_nss_introduction_to_network_security_services: + +Introduction to Network Security Services +========================================= + +.. container:: + + **Network Security Services (NSS)** is a set of libraries designed to support cross-platform + development of communications applications that support SSL, S/MIME, and other Internet security + standards. For a general overview of NSS and the standards it supports, see + :ref:`mozilla_projects_nss_overview`. + +.. _shared_libraries: + +`Shared libraries <#shared_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services provides both static libraries and shared libraries. Applications that + use the shared libraries must use only the APIs that they export. Three shared libraries export + public functions: + + - The SSL library supports core SSL operations. + - The S/MIME library supports core S/MIME operations. + - The NSS library supports core crypto operations. + + We guarantee that applications using the exported APIs will remain compatible with future + versions of those libraries. For a complete list of public functions exported by these shared + libraries in NSS 3.2, see :ref:`mozilla_projects_nss_reference_nss_functions`. + + For information on which static libraries in NSS 3.1.1 are replaced by each of the above shared + libraries in NSS 3.2 , see `Migration from NSS + 3.1.1 `__. + + Figure 1, below, shows a simplified view of the relationships among the three shared libraries + listed above and NSPR, which provides low-level cross platform support for operations such as + threading and I/O. (Note that NSPR is a separate Mozilla project; see `Netscape Portable + Runtime `__ for details.) + + .. image:: /en-US/docs/Mozilla/Projects/NSS/Introduction_to_Network_Security_Services/nss.gif + :alt: Diagram showing the relationships among core NSS libraries and NSPR. + :width: 429px + :height: 196px + +.. _naming_conventions_and_special_libraries: + +`Naming conventions and special libraries <#naming_conventions_and_special_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Windows and Unix use different naming conventions for static and dynamic libraries: + + ======= ======== ================== + Windows Unix + static ``.lib`` ``.a`` + dynamic ``.dll`` ``.so`` or ``.sl`` + ======= ======== ================== + + In addition, Windows has "import" libraries that bind to dynamic libraries. So the NSS library + has the following forms: + + - ``libnss3.so`` - Unix shared library + - ``libnss3.sl`` - HP-UX shared library + - ``libnss.a`` - Unix static library + - ``nss3.dll`` - Windows shared library + - ``nss3.lib`` - Windows import library binding to ``nss3.dll`` + - ``nss.lib`` - Windows static library + + NSS, SSL, and S/MIME have all of the above forms. + + The following static libraries aren't included in any shared libraries + + - ``libcrmf.a``/``crmf.lib`` provides an API for CRMF operations. + - ``libjar.a``/``jar.lib`` provides an API for creating JAR files. + + The following static libraries are included only in external loadable PKCS #11 modules: + + - ``libnssckfw.a``/``nssckfw.lib`` provides an API for writing PKCS #11 modules. + - ``libswfci.a``/``swfci.lib`` provides support for software FORTEZZA. + + The following shared libraries are standalone loadable modules, not meant to be linked with + directly: + + - ``libfort.so``/``libfort.sl``/``fort32.dll`` provides support for hardware FORTEZZA. + - ``libswft.so``/``libswft.sl``/``swft32.dll`` provides support for software FORTEZZA. + - ``libnssckbi.so``/``libnssckbi.sl``/``nssckbi.dll`` defines the default set of trusted root + certificates. + +.. _support_for_ilp32: + +`Support for ILP32 <#support_for_ilp32>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In NSS 3.2 and later versions, there are two new shared libraries for the platforms HP-UX for + PARisc CPUs and Solaris for (Ultra)Sparc (not x86) CPUs. These HP and Solaris platforms allow + programs that use the ILP32 program model to run on both 32-bit CPUs and 64-bit CPUs. The two + libraries exist to provide optimal performance on each of the two types of CPUs. + + These two extra shared libraries are not supplied on any other platforms. The names of these + libraries are platform-dependent, as shown in the following table. + + ================================== ============================ ============================ + Platform for 32-bit CPUs for 64-bit CPUs + Solaris/Sparc ``libfreebl_pure32_3.so`` ``libfreebl_hybrid_3.so`` + HPUX/PARisc ``libfreebl_pure32_3.sl`` ``libfreebl_hybrid_3.sl`` + AIX (planned for a future release) ``libfreebl_pure32_3_shr.a`` ``libfreebl_hybrid_3_shr.a`` + ================================== ============================ ============================ + + An application should not link against these libraries, because they are dynamically loaded by + NSS at run time. Linking the application against one or the other of these libraries may produce + an application program that can only run on one type of CPU (e.g. only on 64-bit CPUs, not on + 32-bit CPUs) or that doesn't use the more efficient 64-bit code on 64-bit CPUs, which defeats the + purpose of having these shared libraries. + + On platforms for which these shared libraries exist, NSS 3.2 will fail if these shared libs are + not present. So, an application must include these files in its distribution of NSS shared + libraries. These shared libraries should be installed in the same directory where the other NSS + shared libraries (such as ``libnss3.so``) are installed. Both shared libs should always be + installed whether the target system has a 32-bit CPU or a 64-bit CPU. NSS will pick the right one + for the local system at run time. + + Note that NSS 3.x is also available in the LP64 model for these platforms, but the LP64 model of + NSS 3.x does not have these two extra shared libraries. + +.. _what_you_should_already_know: + +`What you should already know <#what_you_should_already_know>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before using NSS, you should be familiar with the following topics: + + - Concepts and techniques of public-key cryptography + - The Secure Sockets Layer (SSL) protocol + - The PKCS #11 standard for cryptographic token interfaces + - Cross-platform development issues and techniques + +.. _where_to_find_more_information: + +`Where to find more information <#where_to_find_more_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For information about PKI and SSL that you should understand before using NSS, see the following: + + - `Introduction to Public-Key + Cryptography `__ + - `Introduction to + SSL `__ + + For links to API documentation, build instructions, and other useful information, see the + :ref:`mozilla_projects_nss`. + + As mentioned above, NSS is built on top of NSPR. The API documentation for NSPR is available at + `NSPR API + Reference `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst new file mode 100644 index 0000000000..21cda12719 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst @@ -0,0 +1,174 @@ +.. _mozilla_projects_nss_jss_4_3_1_release_notes: + +4.3.1 Release Notes +=================== + +.. _release_date_2009-12-02: + +`Release Date: 2009-12-02 <#release_date_2009-12-02>`__ +------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new + features: + + - Support for SSL3 & TLS Renegotiation Vulnerability + - Support to explicitly set the key usage for the generated private key + + JSS 4.3.1 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3.1: + +`New in JSS 4.3.1 <#new_in_jss_4.3.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.** + + .. rubric:: SSL3 & TLS Renegotiation Vulnerability + :name: ssl3_tls_renegotiation_vulnerability + + See `CVE-2009-3555 `__ and `US-CERT + VU#120541 `__ for more information about this security + vulnerability. + + All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by + default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to + experience failures where they formerly experienced successes, and is necessary for them to not + be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF. + + If an application depends on renegotiation feature, it can be enabled by setting the environment + variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix + provided by these patches will have no effect and the application may become vulnerable to the + issue. + + This default setting can also be changed within the application by using the following JSS + methods: + + - SSLServerSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiationDefault(int mode) + + The mode of renegotiation that the peer must use can be set to the following: + + - SSLSocket.SSL_RENEGOTIATE_NEVER - Never renegotiate at all. (Default) + - SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without + restriction, whether or not the peer's client hello bears the + renegotiation info extension (like we always did in the past). + - SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED + + .. rubric:: Explicitly set the key usage for the generated private key + :name: explicitly_set_the_key_usage_for_the_generated_private_key + + | In PKCS #11, each keypair can be marked with the operations it will + | be used to perform. Some tokens require that a key be marked for + | an operation before the key can be used to perform that operation; + | other tokens don't care. NSS/JSS provides a way to specify a set of + | flags and a corresponding mask for these flags. + + - see generateECKeyPairWithOpFlags + - see generateRSAKeyPairWithOpFlags + - see generateDSAKeyPairWithOpFlags + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3.1 release is ``JSS_4_3_1_RTM``. + - Source tarballs are available from + `ftp://ftp.mozilla.org/pub/mozilla.or...-4.3.1.tar.bz2 `__ + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + `ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM `__. + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3.1 is available as follows: + + - `Build Instructions for JSS 4.3.1 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - You can check out the source from CVS by + + .. note:: + + cvs co -r JSS_4_3_1_RTM JSS + + - JSS 4.3.1 works with JDK versions 4 or higher we suggest the latest. + + - JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5` or higher. + + - JSS 4.3.1 requires `NSPR 4.7.1 `__ or + higher. + + - JSS only supports the native threading model (no green threads). + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3.1 was released. + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3.1 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will + work with JSS 4.3.1. + - The 4.3.1 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS + JAR file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst new file mode 100644 index 0000000000..ca2b5e41bd --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst @@ -0,0 +1,175 @@ +.. _mozilla_projects_nss_jss_4_3_releasenotes: + +4.3 Release Notes +================= + +.. _release_date_01_april_2009: + +`Release Date: 01 April 2009 <#release_date_01_april_2009>`__ +------------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3 is a minor release with the following new features: + + - SQLite-Based Shareable Certificate and Key Databases + - libpkix: an RFC 3280 Compliant Certificate Path Validation Library + - PKCS11 needsLogin method + - support HmacSHA256, HmacSHA384, and HmacSHA512 + - support for all NSS 3.12 initialization options + + JSS 4.3 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3: + +`New in JSS 4.3 <#new_in_jss_4.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3 requires**\ `NSS + 3.12 `__\ **or + higher.** + + - New `SQLite-Based Shareable Certificate and Key + Databases `__ by prepending the string "sql:" to the + directory path passed to configdir parameter for Crypomanager.initialize method or using the + NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + - Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see + `PKIXVerify `__) + - PK11Token.needsLogin method (see needsLogin) + - support HmacSHA256, HmacSHA384, and HmacSHA512 (see + `HMACTest.java `__) + - support for all NSS 3.12 initialization options (see InitializationValues) + - New SSL error codes (see https://mxr.mozilla.org/security/sour...util/SSLerrs.h) + + - SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT + SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT + SSL_ERROR_UNRECOGNIZED_NAME_ALERT + SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT + SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT + + - New TLS cipher suites (see https://mxr.mozilla.org/security/sour...SSLSocket.java): + + - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + + - Note: the following TLS cipher suites are declared but are not yet implemented: + + - TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA + TLS_ECDH_anon_WITH_NULL_SHA + TLS_ECDH_anon_WITH_RC4_128_SHA + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA + TLS_ECDH_anon_WITH_AES_128_CBC_SHA + TLS_ECDH_anon_WITH_AES_256_CBC_SHA + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3 release is ``JSS_4_3_RTM``. + - Source tarballs are available from + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2 + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/ + + -------------- + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3 is available as follows: + + - `Build Instructions for JSS 4.3 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 works with JDK versions 4 or higher we suggest the latest. + - JSS 4.3 requires `NSS + 3.12 `__ + or higher. + - JSS 4.3 requires `NSPR 4.7.1 `__ or + higher. + - JSS only supports the native threading model (no green threads). + + -------------- + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3 was released. + + -------------- + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will work + with JSS 4.3. + - The 4.3 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS JAR + file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + + -------------- + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst new file mode 100644 index 0000000000..a864a452ee --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst @@ -0,0 +1,99 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_3_x: + +Build instructions for JSS 4.3.x +================================ + +.. _build_instructions_for_jss_4.3.x: + +`Build Instructions for JSS 4.3.x <#build_instructions_for_jss_4.3.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + Before building JSS, you need to set up your system as follows: + + #. Build NSPR/NSS by following the + :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`, + #. To check that NSS built correctly, run ``all.sh`` (in ``mozilla/security/nss/tests``) and + examine the results (in + ``mozilla/test_results/security/``\ *computername*.#\ ``/results.html``. + #. Install a Java compiler and runtime. JSS supports Java version 1.5 or later. We suggest you + use the latest. + #. You must have Perl version 5.005 or later. + + Now you are ready to build JSS. Follow these steps: + + #. Switch to the appropriate directory and check out JSS from the root of your source tree. + + .. code:: + + cvs co -r JSS_4_3_1_RTM mozilla/security/jss + + or + + .. code:: + + cvs co -r JSS_4_3_RTM mozilla/security/jss + + #. Setup environment variables needed for compiling Java source. The ``JAVA_HOME`` variable + indicates the directory containing your Java SDK installation. Note, on Windows platforms it + is best to have JAVA_HOME set to a directory path that doest not have spaces. + + **Unix** + + .. code:: + + setenv JAVA_HOME /usr/local/jdk1.5.0 (or wherever your JDK is installed) + + **Windows** + + .. code:: + + set JAVA_HOME=c:\programs\jdk1.5.0 (or wherever your JDK is installed) + + **Windows (Cygnus)** + + .. code:: + + JAVA_HOME=/cygdrive/c/programs/jdk1.5.0 (or wherever your JDK is installed) + export JAVA_HOME + + | **Windows build Configurations WINNT vs WIN95** + + .. code:: + + As of NSS 3.15.4, NSPR/NSS/JSS build generates a "WIN95" configuration by default on Windows. + We recommend most applications use the "WIN95" configuration. If you want JSS to be used + with your applet and the Firefox browser than you must build WIN95. (See JSS FAQ) + The "WIN95" configuration supports all versions of Windows. The "WIN95" name is historical; + it should have been named "WIN32". + To generate a "WINNT" configuration, set OS_TARGET=WINNT and build NSPR/NSS/JSS WIN95. + + | Mac OS X + | It has been recently reported that special build instructions are necessary to succeed + building JSS on OSX. Please + see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) `__ + for contributed instructions. + | + + #. Build JSS. + + .. code:: + + cd mozilla/security/jss + gmake + + #. Sign the JSS jar. + + .. code:: + + If you're intention is to modify and build the JSS source you + need to Apply for your own JCE code-signing certificate + + If you made no changes and your goal is to build JSS you can use the + signed binary release of the jss4.jar from ftp.mozilla.org. + with your built jss4 JNI shared library. + + Next, you should read the instructions on `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst new file mode 100644 index 0000000000..bdbea81953 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst @@ -0,0 +1,19 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_4_x: + +Build instructions for JSS 4.4.x +================================ + +.. _build_instructions_for_jss_4.4.x: + +`Build Instructions for JSS 4.4.x <#build_instructions_for_jss_4.4.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + To build JSS see `Upstream JSS Build/Test + Instructions `__ + + `Next, you should read the instructions + on `__ `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/index.rst b/security/nss/doc/rst/legacy/jss/index.rst new file mode 100644 index 0000000000..c09374dbc6 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/index.rst @@ -0,0 +1,165 @@ +.. _mozilla_projects_nss_jss: + +JSS +=== + +`Documentation <#documentation>`__ +---------------------------------- + +.. container:: + + .. warning:: + + **The JSS project has been relocated!** + + As of April 6, 2018, JSS has been migrated from Mercurial on Mozilla to Git on Github. + + JSS source should now be checked out from the Github: + + - git clone git@github.com:dogtagpki/jss.git + -- OR -- + - git clone https://github.com/dogtagpki/jss.git + + All future upstream enquiries to JSS should now use the Pagure Issue Tracker system: + + - https://pagure.io/jss/issues + + Documentation regarding the JSS project should now be viewed at: + + - http://www.dogtagpki.org/wiki/JSS + + **NOTE: As much of the JSS documentation is sorely out-of-date, updated information will be a + work in progress, and many portions of any legacy documentation will be re-written over the + course of time. Stay tuned!** + + Legacy JSS information can still be found at: + + - SOURCE: https://hg.mozilla.org/projects/jss + - ISSUES: https://bugzilla.mozilla.org/buglist.cgi?product=JSS + - WIKI: :ref:`mozilla_projects_nss_jss` + + Network Security Services for Java (JSS) is a Java interface to + `NSS `__. JSS supports most of the security + standards and encryption technologies supported by :ref:`mozilla_projects_nss_reference`. JSS + also provides a pure Java interface for ASN.1 types and BER/DER encoding. + + JSS offers a implementation of Java SSL sockets that uses NSS's SSL/TLS implementation rather + than Sun's JSSE implementation. You might want to use JSS's own `SSL + classes `__ if you want to use some + of the capabilities found in NSS's SSL/TLS library but not found in JSSE. + + NSS is the cryptographic module where all cryptographic operations are performed. JSS essentially + provides a Java JNI bridge to NSS C shared libraries. When NSS is put in FIPS mode, JSS ensures + FIPS compliance by ensuring that all cryptographic operations are performed by the NSS + cryptographic module. + + JSS offers a JCE provider, `"Mozilla-JSS" JCA Provider notes `__. + + JSS, jss4.jar, is still built with JDK 1.4.2. While JDK 1.4.2 is EOL'd and all new product + development should be using the latest + `JavaSE `__, legacy business products that must + use JDK 1.4 or 1.5 can continue to add NSS/JSS security fixes/enhancements. + + JSS is used by Red Hat and Sun products that do crypto in Java. JSS is available under the + Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public + License. JSS requires `NSPR `__ and + `NSS `__. + + Java provides a JCE provider called SunPKCS11 (see `Java PKCS#11 Reference + Guide `__.) SunPKCS11 + can be configured to use the NSS module as the crytographic provider. If you are planning to just + use JSS JCE provider as a bridge to NSS's FIPS validated PKCS#11 module, then the SunPKCS11 JCE + provider may do all that you need. Note that Java 1.5 claimed no FIPS compliance, and `Java + 1.6 `__ or higher + needs to be used. A current limitation to the configured SunPKCS11-NSS bridge configuration is if + you add a PKCS#11 module to the NSS database such as for a smartcard, you won't be able to access + that smartcard through the SunPKCS11-NSS bridge. If you use JSS, you can easily get lists of + modules and tokens that are configured in the NSS DB and freely access all of it. + + +-------------------------------------------------+-------------------------------------------------+ + | Before you use JSS, you should have a good | .. rubric:: Community | + | understanding of the crypto technologies it | :name: Community | + | uses. You might want to read these documents: | | + | | - View Mozilla Cryptography forums... | + | - `Introduction to Public-Key | | + | Crypt | - `Mailing | + | ography `__. | /lists.mozilla.org/listinfo/dev-tech-crypto>`__ | + | Explains the basic concepts of public-key | - `Newsgroup `__ | + | - `Introduction to | - `RSS | + | SSL `__. | gle.com/group/mozilla.dev.tech.crypto/feeds>`__ | + | Introduces the SSL protocol, including | | + | information about cryptographic ciphers | .. rubric:: Related Topics | + | supported by SSL and the steps involved in | :name: Related_Topics | + | the SSL handshake. | | + | | - `Security `__ | + | see `NSS sources building | | + | testing `__\ `. `__ | | + | | | + | Read `Using JSS `__ to get you | | + | started with development after you've built and | | + | downloaded it. | | + | | | + | .. rubric:: Release Notes | | + | :name: Release_Notes | | + | | | + | - `4.3.1 Release | | + | Notes `__ | | + | - `4.3 Release | | + | Notes `__ | | + | - `Older Release | | + | Notes `__ | | + | | | + | .. rubric:: Build Instructions | | + | :name: Build_Instructions | | + | | | + | - :re | | + | f:`mozilla_projects_nss_jss_build_instructions_ | | + | for_jss_4_4_x#build_instructions_for_jss_4_4_x` | | + | - `Building JSS | | + | 4.3.x `__ | | + | - `Older Build | | + | Instructions `__ | | + | | | + | .. rubric:: Download or View Source | | + | :name: Download_or_View_Source | | + | | | + | - `Download binaries, source, and | | + | javadoc `__ | | + | - `View the source | | + | online `__ | | + | | | + | .. rubric:: Testing | | + | :name: Testing | | + | | | + | - `JSS | | + | tests `__ | | + | | | + | .. rubric:: Frequently Asked Questions | | + | :name: Frequently_Asked_Questions | | + | | | + | - `JSS FAQ `__ | | + | | | + | Information on JSS planning can be found at | | + | `wik | | + | i.mozilla.org `__, | | + | including: | | + | | | + | - `NSS FIPS | | + | Validati | | + | on `__ | | + | - `NSS Roadmap | | + | | | + | page `__ | | + +-------------------------------------------------+-------------------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_faq/index.rst b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst new file mode 100644 index 0000000000..d419586452 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst @@ -0,0 +1,217 @@ +.. _mozilla_projects_nss_jss_jss_faq: + +JSS FAQ +======= + +.. _jss_frequently_asked_questions: + +`JSS Frequently Asked Questions <#jss_frequently_asked_questions>`__ +-------------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + **Content:** + + - `What versions of JDK and JCE do you suggest? <#jdkjce1>`__ + - `Does JSS have 64 bit support? <#64bit>`__ + - `Is JSS FIPS Compliant? <#fips>`__ + - `Is there any sample code and documentation? <#sample>`__ + - `If I don't call setCipherPolicy, is the DOMESTIC policy used by + default? <#setcipherpolicy>`__ + - `My SSL connection is hanging on Windows? <#ssl_hanging>`__ + - `How can I tell which SSL/TLS ciphers JSS supports? <#ssltls_cipher>`__ + - `How can I debug my SSL connection? <#ssl_debug>`__ + - `Can you explain JSS SSL certificate approval callbacks? <#ssl_callback>`__ + - `Can I have multiple JSS instances reading separate db's? <#jss_instance>`__ + - `Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance(X.509)? <#jss_init>`__ + - `Is it possible to sign data in Java with JSS? <#sign_date>`__ + - `How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate? <#convertx509>`__ + - `How do I convert org.mozilla.jss.pkix.cert to + org.mozilla.jss.crypto.X509Certificate? <#convertpkix>`__ + - `Is it possible to use JSS to access cipher functionality from pkcs11 modules? <#pkc11>`__ + - `Can you explain token names and keys with regards to JSS? <#token_name>`__ + - `JSS 3.2 has JCA support. When will JSS have JSSE support? <#jssjsse>`__ + + **What versions of JDK and JRE do you suggest?** + + - JSS 3.x works with JDK versions 1.2 or higher, except version 1.3.0. Most attention for future + development and bug fixing will go to JDK 1.4 and later, so use that if you can. If you are + using JDK 1.3.x, you will need to use at least version 1.3.1--see `bug + 113808 `__. JSS only supports the native + threading model (no green threads). For JSS 3.2 and higher, if you use JDK 1.4 or higher you + will not need to install the JCE, but if you using an earlier version of the JDK then you will + also have to install JCE 1.2.1. See also the document `Using JSS `__. + + **Does JSS have 64 bit support?** + + - Yes, JSS 3.2 and higher supports 64 bit. You will need JDK 1.4 or higher and all the 64 bit + versions of NSPR, and NSS. As well you must use the java flag -d64 to specify the 64-bit data + model. + + **Is JSS FIPS Compliant?** + + - NSS is a FIPS-certified software library. JSS is considered a FIPS-compliant software library + since it only uses NSS for any and all crypto routines. + + **Is there any sample code and documentation?** + + - The `Using JSS `__ document describes how to set up your environment to run JSS. + The only other documentation is the + `Javadoc `__. + + JSS example code is essentially developer test code; with that understanding, the best + directory to look for sample code is in the org/mozilla/jss/tests directory: + + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests + + | `org/mozilla/jss/tests/CloseDBs.java `__ + | `org/mozilla/jss/tests/KeyFactoryTest.java `__ + | `org/mozilla/jss/tests/DigestTest.java `__ + | `org/mozilla/jss/tests/JCASigTest.java `__ + | `org/mozilla/jss/tests/KeyWrapping.java `__ + | `org/mozilla/jss/tests/ListCerts.java `__ + | `org/mozilla/jss/tests/PK10Gen.java `__ + | `org/mozilla/jss/tests/SDR.java `__ + | `org/mozilla/jss/tests/SelfTest.java `__ + | `org/mozilla/jss/tests/SetupDBs.java `__ + | `org/mozilla/jss/tests/SigTest.java `__ + | `org/mozilla/jss/tests/SymKeyGen.java `__ + | `org/mozilla/jss/tests/TestKeyGen.java `__ + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/tests/ListCACerts.java `__ + | `org/mozilla/jss/tests/KeyStoreTest.java `__ + | `org/mozilla/jss/tests/VerifyCert.java `__ + + SSL examples: + + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/ssl/SSLClient.java `__ + | `org/mozilla/jss/ssl/SSLServer.java `__ + | `org/mozilla/jss/ssl/SSLTest.java `__ + + Other test code that may prove useful: + + | `org/mozilla/jss/asn1/INTEGER.java `__ + | `org/mozilla/jss/asn1/SEQUENCE.java `__ + | `org/mozilla/jss/asn1/SET.java `__ + | `org/mozilla/jss/pkcs10/CertificationRequest.java `__ + | `org/mozilla/jss/pkcs12/PFX.java `__ + | `org/mozilla/jss/pkix/cert/Certificate.java `__ + | `org/mozilla/jss/pkix/cmmf/CertRepContent.java `__ + | `org/mozilla/jss/pkix/crmf/CertReqMsg.java `__ + | `org/mozilla/jss/pkix/crmf/CertTemplate.java `__ + | `org/mozilla/jss/pkix/primitive/Name.java `__ + | `org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java `__ + | `org/mozilla/jss/util/UTF8Converter.java `__ + | `org/mozilla/jss/util/Base64InputStream.java `__ + | `jss/samples/PQGGen.java `__ + | `jss/samples/pkcs12.java `__ + + **If I don't call setCipherPolicy, is the DOMESTIC policy used by default?** + + - Yes, domestic is the default because we call NSS_SetDomesticPolicy() during + CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless + that app wants to limit itself to export-allowed cipher suites. + + **My SSL connection is hanging on Windows?** + + - NSPR makes use of NT vs. Windows distinction and provides different NT and Windows builds. + Many Netscape products, including NSS, have NT and Windows builds that are essentially the + same except one difference: one is linked with the NT version of NSPR and the other is linked + with the Windows version of NSPR. The NT fiber problem affects applications that call blocking + system calls from the primordial thread. Either use the WIN 95 version of NSPR/NSS/JSS + components (essentially all non-fiber builds) or set the environment variable + NSPR_NATIVE_THREADS_ONLY=1. You can find more information in bugzilla bug + `102251 `__ SSL session cache locking + issue with NT fibers + + **How can I tell which SSL/TLS ciphers JSS supports?** + + - Check + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLSocket.java#730 + + **How can I debug my SSL connection?** + + - By using the NSS tool :ref:`mozilla_projects_nss_tools_ssltap` + + **Can you explain JSS SSL certificate approval callbacks?** + + - NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS + callbacks into one. + + - NSS's three SSL cert callbacks are: + + #. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is + called instead of NSS's routine for authenticating certificates. + #. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the + certificate. + #. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client + auth. + + JSS's two callbacks are: + + #. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and + SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback + regardless of whether the cert passed or failed. The callback is told whether the cert + passed, and then can do anything extra that it wants to do before making a final decision. + #. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook. + + | + | **Can I have multiple JSS instances reading separate db's?** + + - No, you can only have one initialized instance of JSS for each database. + + **Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance("X.509")?** + + - In version previous to JSS 3.1, JSS removes the default SUN provider on startup. Upgrade to + the latest JSS, or, in the ``CryptoManager.InitializationValues`` object you pass to + ``CryptoManager.initialize()``, set ``removeSunProivider=true``. + + **Is it possible to sign data in Java with JSS? What I am trying to do is write a Java applet + that will access the Netscape certificate store, retrieve a X509 certificate and then sign some + data.** + + - The best way to do this is with the PKCS #7 signedData type. Check out the + `javadoc `__. + + **How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate?** + + - .. code:: + + import java.io.ByteArrayInputStream; + + [...] + + Certificate cert = (Certificate) ASN1Util.decode( + Certificate.getTemplate(),x509Cert.getEncoded() ); + + **How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?** + + - `Cryptomanager.importCertPackage() `__ + + **Is it possible to use JSS to acces cipher functionality from pkcs11 modules?** + + - Yes. Before JSS 3.2 you would use CryptoManager to obtain the CryptoToken you want to use, + then call CryptoToken.getCipherContext() to get an encryption engine. But as of JSS 3.2 you + would use the `JSS JCA provider `__. + + **Can you explain token names and keys with regards to JSS?** + + - The token name is different depending on which application you are running. In JSS, the token + is called "Internal Key Storage Token". You can look it up by name using + CryptoManager.getTokenByName(), but a better way is to call + CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In + general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java + object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and + wrap/unwrap is for keys. + + J\ **SS 3.2 has JCA support. When will JSS have JSSE support?** + + - Not in the near future due to pluggability is disabled in the JSSE version included in J2SE + 1.4.x for export control reasons. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst new file mode 100644 index 0000000000..9db0654c2c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst @@ -0,0 +1,489 @@ +.. _mozilla_projects_nss_jss_jss_provider_notes: + +JSS Provider Notes +================== + +.. container:: + + .. warning:: + + This page has been moved to http://www.dogtagpki.org/wiki/JSS_Provider. + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the `NSS <../nss>`__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR file <#signed-jar>`__ + - `Installing the Provider <#installing-provider>`__ + - `Specifying the CryptoToken <#specifying-token>`__ + - `Supported Classes <#supported-classes>`__ + - `What's Not Supported <#not-supported>`__ + + -------------- + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 3.2 implements several JCE (Java Cryptography Extension) algorithms. These algorithms have + at various times been export-controlled by the US government. Sun therefore requires that JAR + files implementing JCE algorithms be digitally signed by an approved organization. Netscape + has this approval and signs the official builds of ``jss32.jar``. At runtime, the JRE + automatically verifies this signature whenever a JSS class is loaded that implements a JCE + algorithm. The verification is transparent to the application (unless it fails and throws an + exception). If you are curious, you can verify the signature on the JAR file using the + ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, + your JAR file will not have a valid signature. This means you will not be able to use the JSS + provider for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to + Implement a Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider + to be installed, create a + :ref:`mozilla_projects_nss_jss_cryptomanager_cryptomanager_initializationvalues` object, set + its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` object to + ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented + in software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token + to be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a + JCA class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA + operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("RSA", "Mozilla-JSS"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("DSA", "Mozilla-JSS"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher <#cipher>`__ + + - `DSAPrivateKey <#dsaprivatekey>`__ + + - DSAPublicKey + + - `KeyFactory <#keyfactory>`__ + + - `KeyGenerator <#keygenerator>`__ + + - `KeyPairGenerator <#keypairgenerator>`__ + + - `Mac <#mac>`__ + + - `MessageDigest <#messagedigest>`__ + + - `RSAPrivateKey <#rsaprivatekey>`__ + + - RSAPublicKey + + - `SecretKeyFactory <#secretkeyfactory>`__ + + - `SecretKey <#secretkey>`__ + + - `SecureRandom <#securerandom>`__ + + - `Signature <#signature>`__ + + .. rubric:: What's Not Supported + :name: What's_Not_Supported + + - The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto + NSS's model of PKCS #11 modules. The current implementation is almost useless. Since + these problems lie deep in the NSS design and implementation, there is no clear + timeframe for fixing them. Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class + can be used for some of this functionality. + +.. rubric:: Cipher + :name: Cipher_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms + +.. rubric:: Notes + :name: notes + +- + + - AES + - DES + - DESede (*DES3* ) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + + +------------------------------+------------------------------+------------------------------+ + | Algorithm | Mode | Padding | + +------------------------------+------------------------------+------------------------------+ + | DES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | AES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | RC4 | *None* | *None* | + +------------------------------+------------------------------+------------------------------+ + | RC2 | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5Padding | + +------------------------------+------------------------------+------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. rubric:: DSAPrivateKey + :name: DSAPrivateKey_2 + +- ``getX()`` is not supported because NSS does not support extracting data from private keys. + +.. rubric:: KeyFactory + :name: KeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_2 + +.. rubric:: Notes + :name: notes_2 + +- + + - DSA + - RSA + + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + + +----------------------------------------------+----------------------------------------------+ + | From | To | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import + it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +.. rubric:: KeyGenerator + :name: KeyGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_3 + +.. rubric:: Notes + :name: notes_3 + +- + + - AES + - DES + - DESede (*DES3* ) + - RC4 + + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +.. rubric:: KeyPairGenerator + :name: KeyPairGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_4 + +.. rubric:: Notes + :name: notes_4 + +- + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +.. rubric:: Mac + :name: Mac_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_5 + +.. rubric:: Notes + :name: notes_5 + +- + + - HmacSHA1 (*Hmac-SHA1* ) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +.. rubric:: MessageDigest + :name: MessageDigest_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_6 + +- + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA* ) + +.. rubric:: RSAPrivateKey + :name: RSAPrivateKey_2 + +.. rubric:: Notes + :name: notes_6 + +- + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +.. rubric:: SecretKeyFactory + :name: SecretKeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_7 + +.. rubric:: Notes + :name: notes_7 + +- + + - AES + - DES + - DESede (*DES3* ) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* ) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | KeySpec Class | Key Algorithm | + +----------------------------------------------+----------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + | DESedeKeySpec | DESede | + +----------------------------------------------+----------------------------------------------+ + | DESKeySpec | DES | + +----------------------------------------------+----------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | Key Algorithm | KeySpec Class | + +----------------------------------------------+----------------------------------------------+ + | DESede | DESedeKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DES | DESKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +----------------------------------------------+----------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. + In this case, the key should be wrapped (encrypted with another key), and then the + encrypted key might be extractable from the token. This policy varies across PKCS #11 + tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on + the source key, and then tries to create a new key on the target token from the encoded + bits. Both of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not + contain the salt and iteration fields, which are necessary for PBE key generation. These + fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you + cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +.. rubric:: SecretKey + :name: SecretKey_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_8 + +.. rubric:: Notes + :name: notes_8 + +- + + - AES + - DES + - DESede (*DES3* ) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +.. rubric:: SecureRandom + :name: SecureRandom_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_9 + +.. rubric:: Notes + :name: notes_9 + +- + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +.. rubric:: Signature + :name: Signature_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_10 + +.. rubric:: Notes + :name: notes_10 + +- + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* ) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA* ) + - MD5/RSA (*MD5withRSA* ) + - MD2/RSA + + - The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored, + because NSS does not support specifying an external source of randomness. diff --git a/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst new file mode 100644 index 0000000000..f8edb0953c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst @@ -0,0 +1,472 @@ +.. _mozilla_projects_nss_jss_mozilla-jss_jca_provider_notes: + +Mozilla-JSS JCA Provider notes +============================== + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the + `NSS `__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR + file `__ + - `Installing the + Provider `__ + - `Specifying the + CryptoToken `__ + - `Supported + Classes `__ + - `What's Not + Supported `__ + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + JSS implements several JCE (Java Cryptography Extension) algorithms. These algorithms have at + various times been export-controlled by the US government. JRE therefore requires that JAR files + implementing JCE algorithms be digitally signed by an approved organization. The maintainers of + JSS, Sun, Red Hat, and Mozilla, have this approval and signs the official builds of ``jss4.jar``. + At runtime, the JRE automatically verifies this signature whenever a JSS class is loaded that + implements a JCE algorithm. The verification is transparent to the application (unless it fails + and throws an exception). If you are curious, you can verify the signature on the JAR file using + the ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, your + JAR file will not have a valid signature. This means you will not be able to use the JSS provider + for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to Implement a + Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider to + be installed, create a + ```CryptoManager.InitializationValues`` `__ + object, set its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` + object to ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented in + software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token to + be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a JCA + class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "RSA"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "DSA"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher `__ + - `DSAPrivateKey `__ + - DSAPublicKey + - `KeyFactory `__ + - `KeyGenerator `__ + - `KeyPairGenerator `__ + - `Mac `__ + - `MessageDigest `__ + - `RSAPrivateKey `__ + - RSAPublicKey + - `SecretKeyFactory `__ + - `SecretKey `__ + - `SecureRandom `__ + - `Signature `__ + +`Cipher <#cipher>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms + + .. rubric:: Notes + :name: notes + + - AES + - DES + - DESede (*DES3*) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + +--------------------------------+--------------------------------+--------------------------------+ + | Algorithm | Mode | Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | AES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | RC4 | *None* | *None* | + +--------------------------------+--------------------------------+--------------------------------+ + | RC2 | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5Padding | + +--------------------------------+--------------------------------+--------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +`DSAPrivateKey <#dsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - ``getX()`` is not supported because NSS does not support extracting data from private keys. + +`KeyFactory <#keyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_2 + + .. rubric:: Notes + :name: notes_2 + + - DSA + - RSA + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + +-------------------------------------------------+-------------------------------------------------+ + | From | To | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import it + by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +`KeyGenerator <#keygenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_3 + + .. rubric:: Notes + :name: notes_3 + + - AES + - DES + - DESede (*DES3*) + - RC4 + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +`KeyPairGenerator <#keypairgenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_4 + + .. rubric:: Notes + :name: notes_4 + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +`Mac <#mac>`__ +~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_5 + + .. rubric:: Notes + :name: notes_5 + + - HmacSHA1 (*Hmac-SHA1*) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +`MessageDigest <#messagedigest>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_6 + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA*) + +`RSAPrivateKey <#rsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Notes + :name: notes_6 + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +`SecretKeyFactory <#secretkeyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_7 + + .. rubric:: Notes + :name: notes_7 + + - AES + - DES + - DESede (*DES3*) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3*) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | KeySpec Class | Key Algorithm | + +-------------------------------------------------+-------------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + | DESedeKeySpec | DESede | + +-------------------------------------------------+-------------------------------------------------+ + | DESKeySpec | DES | + +-------------------------------------------------+-------------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | Key Algorithm | KeySpec Class | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | DESedeKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DES | DESKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +-------------------------------------------------+-------------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. In + this case, the key should be wrapped (encrypted with another key), and then the encrypted key + might be extractable from the token. This policy varies across PKCS #11 tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on the + source key, and then tries to create a new key on the target token from the encoded bits. Both + of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not contain + the salt and iteration fields, which are necessary for PBE key generation. These fields were + added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you cannot use + class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +`SecretKey <#secretkey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_8 + + .. rubric:: Notes + :name: notes_8 + + - AES + - DES + - DESede (*DES3*) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +`SecureRandom <#securerandom>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_9 + + .. rubric:: Notes + :name: notes_9 + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +`Signature <#signature>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_10 + + .. rubric:: Notes + :name: notes_10 + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA*) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA*) + - MD5/RSA (*MD5withRSA*) + - MD2/RSA + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. _what's_not_supported: + +`What's Not Supported <#what's_not_supported>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto NSS's + model of PKCS #11 modules. The current implementation is almost useless. Since these problems + lie deep in the NSS design and implementation, there is no clear timeframe for fixing them. + Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class can be used for some of this + functionality. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/using_jss/index.rst b/security/nss/doc/rst/legacy/jss/using_jss/index.rst new file mode 100644 index 0000000000..3a5f19f9c7 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/using_jss/index.rst @@ -0,0 +1,152 @@ +.. _mozilla_projects_nss_jss_using_jss: + +Using JSS +========= + +.. _using_jss: + +`Using JSS <#using_jss>`__ +-------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + If you have already `built + JSS `__, or if you + are planning to use a binary release of JSS, here's how to get JSS working with your code. + + | `Gather Components <#components>`__ + | `Setup your runtime environment <#runtime>`__ + | `Initialize JSS in your application <#init>`__ + +.. _gather_components: + +`Gather components <#gather_components>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + #. You need the JSS classes and the NSPR, NSS, and JSS shared libraries. + + #. **NSPR and NSS Shared Libraries** + + JSS uses the NSPR and NSS libraries for I/O and crypto. JSS version 3.0 linked statically with + NSS, so it only required NSPR. JSS versions 3.1 and later link dynamically with NSS, so they + also require the NSS shared libraries. + + The exact library names vary according to the convention for each platform. For example, the + NSPR library is called ``nspr4.dll`` or ``libnspr4.dll`` on Windows and ``libnspr4.so`` on + Solaris. The following table gives the core names of the libraries, omitting the + platform-specific prefix and suffix. + + +-------------------+-------------------------------------+--------------------------------------+ + | JSS Dependencies | | | + +-------------------+-------------------------------------+--------------------------------------+ + | Core Library Name | Description | Binary Release Location | + +-------------------+-------------------------------------+--------------------------------------+ + | nspr4 | NSPR OS abstraction layer | `htt | + | | | p://ftp.mozilla.org/pub/mozilla.org/ | + | | | nspr/releases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | plc4 | | NSPR standard C library replacement | + | | | functions | + +-------------------+-------------------------------------+--------------------------------------+ + | plds4 | | NSPR data structure types | + +-------------------+-------------------------------------+--------------------------------------+ + | nss3 | NSS crypto, PKCS #11, and utilities | `http://ftp.mozilla. | + | | | org/pub/mozilla.org/security/nss/rel | + | | | eases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | ssl3 | | NSS SSL library | + +-------------------+-------------------------------------+--------------------------------------+ + | smime3 | | NSS S/MIME functions and types | + +-------------------+-------------------------------------+--------------------------------------+ + | nssckbi | | PKCS #11 module containing built-in | + | | | root CA certificates. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + | freebl_\* | | Processor-specific optimized | + | | | big-number arithmetic library. Not | + | | | present on all platforms. | + | | | :ref:`mozilla_projects_nss_introd | + | | | uction_to_network_security_services` | + +-------------------+-------------------------------------+--------------------------------------+ + | fort | | FORTEZZA support. Optional | + +-------------------+-------------------------------------+--------------------------------------+ + | swft | | PKCS #11 module implementing | + | | | FORTEZZA in software. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + + If you built JSS from source, you have these libraries in the ``mozilla/dist//lib`` + directory of your build tree. If you are downloading binaries, get them from the binary + release locations in the above table. You need to select the right version of the components, + based on the version of JSS you are using. Generally, it is safe to use a later version of a + component than what JSS was tested with. For example, although JSS 4.2 was tested with NSS + 3.11. + + ================== ========= ============== + Component Versions + JSS Version Component Tested Version + JSS 4.2 NSPR 4.6.4 + \ NSS 3.11.4 + JSS 3.4 NSPR 4.2.2 + \ NSS 3.7.3 + JSS 3.3 NSPR 4.2.2 + \ NSS 3.6.1 or 3.7 + JSS 3.2 NSPR 4.2 or 4.1.2 + \ NSS 3.4.2 + JSS 3.1.1 NSPR 4.1.2 + \ NSS 3.3.1 + JSS 3.1 NSPR 4.1.2 + \ NSS 3.3 + JSS 3.0 NSPR 3.5.1 + ================== ========= ============== + + #. **JSS Shared Library** + + The JSS shared library is ``jss4.dll`` (Windows) or ``libjss4.so`` (Unix). If you built JSS + from source, it is in ``mozilla/dist//lib``. If you are downloading binaries, get it + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + + #. **JSS classes** + + If you built JSS from source, the compiled JSS classes are in ``mozilla/dist/classes[_dbg]``. + You can put this directory in your classpath to run applications locally; or, you can package + the class files into a JAR file for easier distribution: + + .. code:: + + cd mozilla/dist/classes[_dbg] + zip -r ../jss42.jar . + + If you are downloading binaries, get jss42.jar + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + +.. _setup_your_runtime_environment: + +`Setup your runtime environment <#setup_your_runtime_environment>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + You need to set some environment variables before building and running Java applications with + JSS. + + ``CLASSPATH`` + Include the path containing the JSS classes you built, or the path to ``jss42.jar``. (The path + to ``jss34.jar`` ends with the string "/jss42.jar". It is not just the directory that contains + ``jss42.jar``.) + ``LD_LIBRARY_PATH`` (Unix) / ``PATH`` (Windows) + Include the path to the NSPR, NSS, and JSS shared libraries. + +.. _initialize_jss_in_your_application: + +`Initialize JSS in your application <#initialize_jss_in_your_application>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before calling any JSS methods, you must initialize JSS by calling one of the + ``CryptoManager.initialize`` methods. See the `javadoc `__ for more details. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/key_log_format/index.rst b/security/nss/doc/rst/legacy/key_log_format/index.rst new file mode 100644 index 0000000000..99bdf87e1d --- /dev/null +++ b/security/nss/doc/rst/legacy/key_log_format/index.rst @@ -0,0 +1,61 @@ +.. _mozilla_projects_nss_key_log_format: + +NSS Key Log Format +================== + +.. container:: + + Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark + 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find + the key file via *Edit→Preferences→Protocols→TLS→(Pre)-Master-Secret log filename*. + + Key logging is enabled by setting the environment variable ``SSLKEYLOGFILE`` to point to a file. + Note: starting with :ref:`mozilla_projects_nss_nss_3_24_release_notes` (used by Firefox 48 and 49 + only), the ``SSLKEYLOGFILE`` approach is disabled by default for optimized builds using the + Makefile (those using gyp via ``build.sh`` are *not* affected). Distributors can re-enable it at + compile time though (using the ``NSS_ALLOW_SSLKEYLOGFILE=1`` make variable) which is done for the + official Firefox binaries. (See `bug + 1188657 `__.) Notably, Debian does not have + this option enabled, see `Debian bug + 842292 `__. + + This key log file is a series of lines. Comment lines begin with a sharp character ('#') and are + ignored. Secrets follow the format ``