1.. _mozilla_projects_nss_index: 2 3Index 4===== 5 6.. container:: 7 8 **Found 361 pages:** 9 10 +--------------------------------+--------------------------------+--------------------------------+ 11 | # | Page | Tags and summary | 12 +================================+================================+================================+ 13 | 1 | :ref:`mozilla_projects_nss` | **JSS, NSS, NeedsMigration** | 14 +--------------------------------+--------------------------------+--------------------------------+ 15 | | | **Network Security Services** | 16 | | | (**NSS**) is a set of | 17 | | | libraries designed to support | 18 | | | cross-platform development of | 19 | | | security-enabled client and | 20 | | | server applications. | 21 | | | Applications built with NSS | 22 | | | can support SSL v3, TLS, PKCS | 23 | | | #5, PKCS #7, PKCS #11, PKCS | 24 | | | #12, S/MIME, X.509 v3 | 25 | | | certificates, and other | 26 | | | security standards. | 27 +--------------------------------+--------------------------------+--------------------------------+ 28 | | | | 29 +--------------------------------+--------------------------------+--------------------------------+ 30 | 2 | :ref:`mozilla_projects_nss | **API, Intermediate, Intro, | 31 | | _an_overview_of_nss_internals` | NSS, Tools** | 32 +--------------------------------+--------------------------------+--------------------------------+ 33 | | | A High-Level Overview to the | 34 | | | Internals of `Network Security | 35 | | | Services | 36 | | | (NSS) <https://developer. | 37 | | | mozilla.org/en-US/docs/NSS>`__ | 38 | | | Software developed by the | 39 | | | Mozilla.org projects | 40 | | | traditionally used its own | 41 | | | implementation of security | 42 | | | protocols and cryptographic | 43 | | | algorithms, originally called | 44 | | | Netscape Security Services, | 45 | | | nowadays called Network | 46 | | | Security Services (NSS). NSS | 47 | | | is a library written in the C | 48 | | | programming language. It's | 49 | | | free and open source software, | 50 | | | and many other software | 51 | | | projects have decided to use | 52 | | | it. In order to support | 53 | | | multiple operating systems | 54 | | | (OS), it is based on a cross | 55 | | | platform portability layer, | 56 | | | called the Netscape Portable | 57 | | | Runtime (NSPR), which provides | 58 | | | cross platform application | 59 | | | programming interfaces (APIs) | 60 | | | for OS specific APIs like file | 61 | | | system access, memory | 62 | | | management, network | 63 | | | communication, and | 64 | | | multithreaded programming. | 65 | | | NSS offers lots of | 66 | | | functionality; we'll walk | 67 | | | through the list of modules, | 68 | | | design principles, and | 69 | | | important relevant standards. | 70 | | | In order to allow | 71 | | | interoperability between | 72 | | | software and devices that | 73 | | | perform cryptographic | 74 | | | operations, NSS conforms to a | 75 | | | standard called PKCS#11. (Note | 76 | | | that it's important to look at | 77 | | | the number 11, as there are | 78 | | | other PKCS standards with | 79 | | | different numbers that define | 80 | | | quite different topics.) | 81 | | | A software or hardware module | 82 | | | conforming to the PKCS#11 | 83 | | | standard implements an | 84 | | | interface of C calls, which | 85 | | | allow querying the | 86 | | | characteristics and offered | 87 | | | services of the module. | 88 | | | Multiple elements of NSS's own | 89 | | | modules have been implemented | 90 | | | with this interface, and NSS | 91 | | | makes use of this interface | 92 | | | when talking to those modules. | 93 | | | This strategy allows NSS to | 94 | | | work with many hardware | 95 | | | devices (e.g., to speed up the | 96 | | | calculations required for | 97 | | | cryptographic operations, or | 98 | | | to access smartcards that | 99 | | | securely protect a secret key) | 100 | | | and software modules (e.g., to | 101 | | | allow to load such modules as | 102 | | | a plugin that provides | 103 | | | additional algorithms or | 104 | | | stores key or trust | 105 | | | information) that implement | 106 | | | the PKCS#11 interface. | 107 | | | A core element of NSS is | 108 | | | FreeBL, a base library | 109 | | | providing hash functions, big | 110 | | | number calculations, and | 111 | | | cryptographic algorithms. | 112 | | | Softoken is an NSS module that | 113 | | | exposes most FreeBL | 114 | | | functionality as a PKCS#11 | 115 | | | module. | 116 | | | Some cryptography uses the | 117 | | | same secret key for both | 118 | | | encrypting and decrypting, for | 119 | | | example password based | 120 | | | encryption (PBE). This is | 121 | | | often sufficient if you | 122 | | | encrypt data for yourself, but | 123 | | | as soon as you need to | 124 | | | exchange signed/encrypted data | 125 | | | with communication partners, | 126 | | | using public key encryption | 127 | | | simplifies the key management. | 128 | | | The environment that describes | 129 | | | how to use public key | 130 | | | encryption is called Public | 131 | | | Key Infrastructure (PKI). The | 132 | | | public keys that are exchanged | 133 | | | between parties are | 134 | | | transported using a container; | 135 | | | the container is called a | 136 | | | certificate, following | 137 | | | standard X.509 version 3. A | 138 | | | certificate contains lots of | 139 | | | other details; for example, it | 140 | | | contains a signature by a | 141 | | | third party that expresses | 142 | | | trust in the ownership | 143 | | | relationship for the | 144 | | | certificate. The trust | 145 | | | assigned by the third party | 146 | | | might be restricted to certain | 147 | | | uses, which are listed in | 148 | | | certificate extensions that | 149 | | | are contained in the | 150 | | | certificate. | 151 | | | Many (if not most) of the | 152 | | | operations performed by NSS | 153 | | | involve the use of X.509 | 154 | | | certificates (often | 155 | | | abbreviated as “cert”, | 156 | | | unfortunately making it easy | 157 | | | to confuse with the term | 158 | | | “computer emergency response | 159 | | | team“). | 160 | | | When checking whether a | 161 | | | certificate is trusted or not, | 162 | | | it's necessary to find a | 163 | | | relevant trust anchor (root | 164 | | | certificate) that represents | 165 | | | the signing capability of a | 166 | | | trusted third party, usually | 167 | | | called a Certificate Authority | 168 | | | (CA). A trust anchor is just | 169 | | | another X.509 certificate that | 170 | | | is already known and has been | 171 | | | deliberately marked as trusted | 172 | | | by a software vendor, | 173 | | | administrators inside an | 174 | | | organizational infrastructure, | 175 | | | or the software user. NSS | 176 | | | ships a predefined set of CA | 177 | | | certificates. This set, | 178 | | | including their trust | 179 | | | assignments, is provided by | 180 | | | NSS as a software module, | 181 | | | called CKBI (“built-in root | 182 | | | certificates”), which also | 183 | | | implements the PKCS#11 | 184 | | | interface. On an | 185 | | | organizational level the | 186 | | | contents of the set are | 187 | | | managed according to the | 188 | | | Mozilla CA policy. On a | 189 | | | technical level the set is a | 190 | | | binary software module. | 191 | | | A cryptographic transaction, | 192 | | | such as encryption or | 193 | | | decryption related to a data | 194 | | | exchange, usually involves | 195 | | | working with the X.509 certs | 196 | | | of your communication partners | 197 | | | (peer). It's also required | 198 | | | that you safely keep your own | 199 | | | secret keys that belong to | 200 | | | your own certificates. You | 201 | | | might want to protect the | 202 | | | storage of your secret keys | 203 | | | with PBE. You might decide to | 204 | | | modify the default trust | 205 | | | provided by NSS. All of this | 206 | | | requires storing, looking up, | 207 | | | and retrieving data. NSS | 208 | | | simplifies performing these | 209 | | | operations by offering storage | 210 | | | and management APIs. NSS | 211 | | | doesn't require the programmer | 212 | | | to manage individual files | 213 | | | containing individual | 214 | | | certificates or keys. Instead, | 215 | | | NSS offers to use its own | 216 | | | database(s). Once you have | 217 | | | imported certificates and keys | 218 | | | into the NSS database, you can | 219 | | | easily look them up and use | 220 | | | them again. | 221 | | | Because of NSS's expectation | 222 | | | to operate with an NSS | 223 | | | database, it's mandatory that | 224 | | | you perform an initialization | 225 | | | call, where you tell NSS which | 226 | | | database you will be using. In | 227 | | | the most simple scenario, the | 228 | | | programmer will provide a | 229 | | | directory on your filesystem | 230 | | | as a parameter to the init | 231 | | | function, and NSS is designed | 232 | | | to do the rest. It will detect | 233 | | | and open an existing database, | 234 | | | or it can create a new one. | 235 | | | Alternatively, should you | 236 | | | decide that you don't want to | 237 | | | work with any persistent | 238 | | | recording of certificates, you | 239 | | | may initialize NSS in a | 240 | | | no-database mode. Usually, NSS | 241 | | | will flush all data to disk as | 242 | | | soon as new data has been | 243 | | | added to permanent storage. | 244 | | | Storage consists of multiple | 245 | | | files: a key database file, | 246 | | | which contains your secret | 247 | | | keys, and a certificate | 248 | | | database file which contains | 249 | | | the public portion of your own | 250 | | | certificates, the certificates | 251 | | | of peers or CAs, and a list of | 252 | | | trust decisions (such as to | 253 | | | not trust a built-in CA, or to | 254 | | | explicitly trust other CAs). | 255 | | | Examples for the database | 256 | | | files are key3.db and | 257 | | | cert8.db, where the numbers | 258 | | | are file version numbers. A | 259 | | | third file contains the list | 260 | | | of external PKCS#11 modules | 261 | | | that have been registered to | 262 | | | be used by NSS. The file could | 263 | | | be named secmod.db, but in | 264 | | | newer database generations a | 265 | | | file named pkcs11.txt is used. | 266 | | | Only NSS is allowed to access | 267 | | | and manipulate these database | 268 | | | files directly; a programmer | 269 | | | using NSS must go through the | 270 | | | APIs offered by NSS to | 271 | | | manipulate the data stored in | 272 | | | these files. The programmer's | 273 | | | task is to initialize NSS with | 274 | | | the required parameters (such | 275 | | | as a database), and NSS will | 276 | | | then transparently manage the | 277 | | | database files. | 278 | | | Most of the time certificates | 279 | | | and keys are supposed to be | 280 | | | stored in the NSS database. | 281 | | | Therefore, after initial | 282 | | | import or creation, the | 283 | | | programmer usually doesn't | 284 | | | deal with their raw bytes. | 285 | | | Instead, the programmer will | 286 | | | use lookup functions, and NSS | 287 | | | will provide an access handle | 288 | | | that will be subsequently used | 289 | | | by the application's code. | 290 | | | Those handles are reference | 291 | | | counted. NSS will usually | 292 | | | create an in-memory (RAM) | 293 | | | presentation of certificates, | 294 | | | once a certificate has been | 295 | | | received from the network, | 296 | | | read from disk, or looked up | 297 | | | from the database, and prepare | 298 | | | in-memory data structures that | 299 | | | contain the certificate's | 300 | | | properties, as well as | 301 | | | providing a handle for the | 302 | | | programmer to use. Once the | 303 | | | application is done with a | 304 | | | handle, it should be released, | 305 | | | allowing NSS to free the | 306 | | | associated resources. When | 307 | | | working with handles to | 308 | | | private keys it's usually | 309 | | | difficult (and undesired) that | 310 | | | an application gets access to | 311 | | | the raw key data; therefore it | 312 | | | may be difficult to extract | 313 | | | such data from NSS. The usual | 314 | | | minimum requirement is that | 315 | | | private keys must be wrapped | 316 | | | using a protective layer (such | 317 | | | as password-based encryption). | 318 | | | The intention is to make it | 319 | | | easier to review code for | 320 | | | security. The less code that | 321 | | | has access to raw secret keys, | 322 | | | the less code that must be | 323 | | | reviewed. | 324 | | | NSS has only limited | 325 | | | functionality to look up raw | 326 | | | keys. The preferred approach | 327 | | | is to use certificates, and to | 328 | | | look up certificates by | 329 | | | properties such as the | 330 | | | contained subject name | 331 | | | (information that describes | 332 | | | the owner of the certificate). | 333 | | | For example, while NSS | 334 | | | supports random calculation | 335 | | | (creation) of a new | 336 | | | public/private key pair, it's | 337 | | | difficult to work with such a | 338 | | | raw key pair. The usual | 339 | | | approach is to create a | 340 | | | certificate signing request | 341 | | | (CSR) as soon as an | 342 | | | application is done with the | 343 | | | creation step, which will have | 344 | | | created a handle to the key | 345 | | | pair, and which can be used | 346 | | | for the necessary related | 347 | | | operations, like producing a | 348 | | | proof-of-ownership of the | 349 | | | private key, which is usually | 350 | | | required when submitting the | 351 | | | public key with a CSR to a CA. | 352 | | | The usual follow up action is | 353 | | | receiving a signed certificate | 354 | | | from a CA. (However, it's also | 355 | | | possible to use NSS | 356 | | | functionality to create a | 357 | | | self-signed certificate, | 358 | | | which, however, usually won't | 359 | | | be trusted by other parties.) | 360 | | | Once received, it's sufficient | 361 | | | to tell NSS to import such a | 362 | | | new certificate into the NSS | 363 | | | database, and NSS will | 364 | | | automatically perform a lookup | 365 | | | of the embedded public key, be | 366 | | | able to find the associated | 367 | | | private key, and subsequently | 368 | | | be able to treat it as a | 369 | | | personal certificate. (A | 370 | | | personal certificate is a | 371 | | | certificate for which the | 372 | | | private key is in possession, | 373 | | | and which could be used for | 374 | | | signing data or for decrypting | 375 | | | data.) A unique nickname | 376 | | | can/should be assigned to the | 377 | | | certificate at the time of | 378 | | | import, which can later be | 379 | | | used to easily identify and | 380 | | | retrieve it. | 381 | | | It's important to note that | 382 | | | NSS requires strict cleanup | 383 | | | for all handles returned by | 384 | | | NSS. The application should | 385 | | | always call the appropriate | 386 | | | dereference (destroy) | 387 | | | functions once a handle is no | 388 | | | longer needed. This is | 389 | | | particularly important for | 390 | | | applications that might need | 391 | | | to close a database and | 392 | | | reinitialize NSS using a | 393 | | | different one, without | 394 | | | restarting. Such an operation | 395 | | | might fail at runtime if data | 396 | | | elements are still being | 397 | | | referenced. | 398 | | | In addition to the FreeBL, | 399 | | | Softoken, and CKBI modules, | 400 | | | there is an utility library | 401 | | | for general operations (e.g., | 402 | | | encoding/decoding between data | 403 | | | formats, a list of | 404 | | | standardized object | 405 | | | identifiers (OID)). NSS has an | 406 | | | SSL/TLS module that implements | 407 | | | the Secure Sockets | 408 | | | Layer/Transport Layer Security | 409 | | | network protocols, an S/MIME | 410 | | | module that implements CMS | 411 | | | messaging used by secure email | 412 | | | and some instant messaging | 413 | | | implementations, a DBM library | 414 | | | that implements the classic | 415 | | | database storage, and finally | 416 | | | a core NSS library for the big | 417 | | | set of “everything else”. | 418 | | | Newer generations of the | 419 | | | database use the SQLite | 420 | | | database to allow concurrent | 421 | | | access by multiple | 422 | | | applications. | 423 | | | All of the above are provided | 424 | | | as shared libraries. The CRMF | 425 | | | library, which is used to | 426 | | | produce certain kinds of | 427 | | | certificate requests, is | 428 | | | available as a library for | 429 | | | static linking only. | 430 | | | When dealing with certificates | 431 | | | (X.509), file formats such as | 432 | | | PKCS#12 (certificates and | 433 | | | keys), PKCS#7 (signed data), | 434 | | | and message formats as CMS, we | 435 | | | should mention ASN.1, which is | 436 | | | a syntax for storing | 437 | | | structured data in a very | 438 | | | efficient (small sized) | 439 | | | presentation. It was | 440 | | | originally developed for | 441 | | | telecommunication systems at | 442 | | | times where it was critical to | 443 | | | minimize data as much as | 444 | | | possible (although it still | 445 | | | makes sense to use that | 446 | | | principle today for good | 447 | | | performance). In order to | 448 | | | process data available in the | 449 | | | ASN.1 format, the usual | 450 | | | approach is to parse it and | 451 | | | transfer it to a presentation | 452 | | | that requires more space but | 453 | | | is easier to work with, such | 454 | | | as (nested) C data structures. | 455 | | | Over the time NSS has received | 456 | | | three different ASN.1 parser | 457 | | | implementations, each having | 458 | | | their own specific properties, | 459 | | | advantages and disadvantages, | 460 | | | which is why all of them are | 461 | | | still being used (nobody has | 462 | | | yet dared to replace the older | 463 | | | with the newer ones because of | 464 | | | risks for side effects). When | 465 | | | using the ASN.1 parser(s), a | 466 | | | template definition is passed | 467 | | | to the parser, which will | 468 | | | analyze the ASN.1 data stream | 469 | | | accordingly. The templates are | 470 | | | usually closely aligned to | 471 | | | definitions found in RFC | 472 | | | documents. | 473 | | | A data block described as DER | 474 | | | is usually in ASN.1 format. | 475 | | | You must know which data you | 476 | | | are expecting, and use the | 477 | | | correct template for parsing, | 478 | | | based on the context of your | 479 | | | software's interaction. Data | 480 | | | described as PEM is a base64 | 481 | | | encoded presentation of DER, | 482 | | | usually wrapped between human | 483 | | | readable BEGIN/END lines. NSS | 484 | | | prefers the binary | 485 | | | presentation, but is often | 486 | | | capable to use base64 or ASCII | 487 | | | presentations, especially when | 488 | | | importing data from files. A | 489 | | | recent development adds | 490 | | | support for loading external | 491 | | | PEM files that contain private | 492 | | | keys, in a software library | 493 | | | called nss-pem, which is | 494 | | | separately available, but | 495 | | | should eventually become a | 496 | | | core part of NSS. | 497 | | | Looking at the code level, NSS | 498 | | | deals with blocks of raw data | 499 | | | all the time. The common | 500 | | | structure to store such an | 501 | | | untyped block is SECItem, | 502 | | | which contains a size and an | 503 | | | untyped C pointer variable. | 504 | | | When dealing with memory, NSS | 505 | | | makes use of arenas, which are | 506 | | | an attempt to simplify | 507 | | | management with the limited | 508 | | | offerings of C (because there | 509 | | | are no destructors). The idea | 510 | | | is to group multiple memory | 511 | | | allocations in order to | 512 | | | simplify cleanup. Performing | 513 | | | an operation often involves | 514 | | | allocating many individual | 515 | | | data items, and the code might | 516 | | | be required to abort a task at | 517 | | | many positions in the logic. | 518 | | | An arena is requested once | 519 | | | processing of a task starts, | 520 | | | and all memory allocations | 521 | | | that are logically associated | 522 | | | to that task are requested | 523 | | | from the associated arena. The | 524 | | | implementation of arenas makes | 525 | | | sure that all individual | 526 | | | memory blocks are tracked. | 527 | | | Once a task is done, | 528 | | | regardless whether it | 529 | | | completed or was aborted, the | 530 | | | programmer simply needs to | 531 | | | release the arena, and all | 532 | | | individually allocated blocks | 533 | | | will be released | 534 | | | automatically. Often freeing | 535 | | | is combined with immediately | 536 | | | erasing (zeroing, zfree) the | 537 | | | memory associated to the | 538 | | | arena, in order to make it | 539 | | | more difficult for attackers | 540 | | | to extract keys from a memory | 541 | | | dump. | 542 | | | NSS uses many C data | 543 | | | structures. Often NSS has | 544 | | | multiple implementations for | 545 | | | the same or similar concepts. | 546 | | | For example, there are | 547 | | | multiple presentations of | 548 | | | certificates, and the NSS | 549 | | | internals (and sometimes even | 550 | | | the application using NSS) | 551 | | | might have to convert between | 552 | | | them. | 553 | | | Key responsibilites of NSS are | 554 | | | verification of signatures and | 555 | | | certificates. In order to | 556 | | | verify a digital signature, we | 557 | | | have to look at the | 558 | | | application data (e.g., a | 559 | | | document that was signed), the | 560 | | | signature data block (the | 561 | | | digital signature), and a | 562 | | | public key (as found in a | 563 | | | certificate that is believed | 564 | | | to be the signer, e.g., | 565 | | | identified by metadata | 566 | | | received together with the | 567 | | | signature). The signature is | 568 | | | verified if it can be shown | 569 | | | that the signature data block | 570 | | | must have been produced by the | 571 | | | owner of the public key | 572 | | | (because only that owner has | 573 | | | the associated private key). | 574 | | | Verifying a certificate (A) | 575 | | | requires some additional | 576 | | | steps. First, you must | 577 | | | identify the potential signer | 578 | | | (B) of a certificate (A). This | 579 | | | is done by reading the “issuer | 580 | | | name” attribute of a | 581 | | | certificate (A), and trying to | 582 | | | find that issuer certificate | 583 | | | (B) (by looking for a | 584 | | | certificate that uses that | 585 | | | name as its “subject name”). | 586 | | | Then you attempt to verify the | 587 | | | signature found in (A) using | 588 | | | the public key found in (B). | 589 | | | It might be necessary to try | 590 | | | multiple certificates (B1, B2, | 591 | | | ...) each having the same | 592 | | | subject name. | 593 | | | After succeeding, it might be | 594 | | | necessary to repeat this | 595 | | | procedure recursively. The | 596 | | | goal is to eventually find a | 597 | | | certificate B (or C or ...) | 598 | | | that has an appropriate trust | 599 | | | assigned (e.g., because it can | 600 | | | be found in the CKBI module | 601 | | | and the user hasn't made any | 602 | | | overriding trust decisions, or | 603 | | | it can be found in a NSS | 604 | | | database file managed by the | 605 | | | user or by the local | 606 | | | environment). | 607 | | | After having successfully | 608 | | | verified the signatures in a | 609 | | | (chain of) issuer | 610 | | | certificate(s), we're still | 611 | | | not done with verifying the | 612 | | | certificate A. In a PKI it's | 613 | | | suggested/required to perform | 614 | | | additional checks. For | 615 | | | example: Certificates were | 616 | | | valid at the time the | 617 | | | signature was made, name in | 618 | | | certificates matches the | 619 | | | expected signer (check subject | 620 | | | name, common name, email, | 621 | | | based on application), the | 622 | | | trust restrictions recorded | 623 | | | inside the certificate | 624 | | | (extensions) permit the use | 625 | | | (e.g., encryption might be | 626 | | | allowed, but not signing), and | 627 | | | based on | 628 | | | environment/application policy | 629 | | | it might be required to | 630 | | | perform a revocation check | 631 | | | (OCSP or CRL), that asks the | 632 | | | issuer(s) of the certificates | 633 | | | whether there have been events | 634 | | | that made it necessary to | 635 | | | revoke the trust (revoke the | 636 | | | validity of the cert). | 637 | | | Trust anchors contained in the | 638 | | | CKBI module are usually self | 639 | | | signed, which is defined as | 640 | | | having identical subject name | 641 | | | and issuer name fields. If a | 642 | | | self-signed certificate is | 643 | | | marked as explicitly trusted, | 644 | | | NSS will skip checking the | 645 | | | self-signature for validity. | 646 | | | NSS has multiple APIs to | 647 | | | perform verification of | 648 | | | certificates. There is a | 649 | | | classic engine that is very | 650 | | | stable and works fine in all | 651 | | | simple scenarios, for example | 652 | | | if all (B) candidate issuer | 653 | | | certificates have the same | 654 | | | subject and issuer names and | 655 | | | differ by validity period; | 656 | | | however, it works only in a | 657 | | | limited amount of more | 658 | | | advanced scenarios. | 659 | | | Unfortunately, the world of | 660 | | | certificates has become more | 661 | | | complex in the recent past. | 662 | | | New Certificate Authorities | 663 | | | enter the global PKI market, | 664 | | | and in order to get started | 665 | | | with their business, they | 666 | | | might make deals with | 667 | | | established CAs and receive | 668 | | | so-called | 669 | | | cross-signing-certificates. As | 670 | | | a result, when searching for a | 671 | | | trust path from (A) to a | 672 | | | trusted anchor (root) | 673 | | | certificate (Z), the set of | 674 | | | candidate issuer certificates | 675 | | | might have different issuer | 676 | | | names (referring to the second | 677 | | | or higher issuer level). As a | 678 | | | consequence, it will be | 679 | | | necessary to try multiple | 680 | | | different alternative routes | 681 | | | while searching for (Z), in a | 682 | | | recursive manner. Only the | 683 | | | newer verification engine | 684 | | | (internally named libPKIX) is | 685 | | | capable of doing that | 686 | | | properly. | 687 | | | It's worth mentioning the | 688 | | | Extended Validation (EV) | 689 | | | principle, which is an effort | 690 | | | by software vendors and CAs to | 691 | | | define a stricter set of rules | 692 | | | for issuing certificates for | 693 | | | web site certificates. Instead | 694 | | | of simply verifying that the | 695 | | | requester of a certificate is | 696 | | | in control of an | 697 | | | administrative email address | 698 | | | at the desired web site's | 699 | | | domain, it's required that the | 700 | | | CA performs a verification of | 701 | | | real world identity documents | 702 | | | (such as a company | 703 | | | registration document with the | 704 | | | country's authority), and it's | 705 | | | also required that a browser | 706 | | | software performs a revocation | 707 | | | check with the CA, prior to | 708 | | | granting validity to the | 709 | | | certificate. In order to | 710 | | | distinguish an EV certificate, | 711 | | | CAs will embed a policy OID in | 712 | | | the certificate, and the | 713 | | | browser is expected to verify | 714 | | | that a trust chain permits the | 715 | | | end entity (EE) certificate to | 716 | | | make use of the policy. Only | 717 | | | the APIs of the newer libPKIX | 718 | | | engine are capable of | 719 | | | performing a policy | 720 | | | verification. | 721 | | | That's a good opportunity to | 722 | | | talk about SSL/TLS connections | 723 | | | to servers in general (not | 724 | | | just EV, not just websites). | 725 | | | Whenever this document | 726 | | | mentions SSL, it refers to | 727 | | | either SSL or TLS. (TLS is a | 728 | | | newer version of SSL with | 729 | | | enhanced features.) | 730 | | | When establishing an SSL | 731 | | | connection to a server, (at | 732 | | | least) a server certificate | 733 | | | (and its trust chain) is | 734 | | | exchanged from the server to | 735 | | | the client (e.g., the | 736 | | | browser), and the client | 737 | | | verifies that the certificate | 738 | | | can be verified (including | 739 | | | matching the name of the | 740 | | | expected destination server). | 741 | | | Another part of the handshake | 742 | | | between both parties is a key | 743 | | | exchange. Because public key | 744 | | | encryption is more expensive | 745 | | | (more calculations required) | 746 | | | than symmetric encryption | 747 | | | (where both parties use the | 748 | | | same key), a key agreement | 749 | | | protocol will be executed, | 750 | | | where the public and private | 751 | | | keys are used to proof and | 752 | | | verify the exchanged initial | 753 | | | information. Once the key | 754 | | | agreement is done, a symmetric | 755 | | | encryption will be used (until | 756 | | | a potential re-handshake on an | 757 | | | existing channel). The | 758 | | | combination of the hash and | 759 | | | encryption algorithms used for | 760 | | | a SSL connection is called a | 761 | | | cipher suite. | 762 | | | NSS ships with a set of cipher | 763 | | | suites that it supports at a | 764 | | | technical level. In addition, | 765 | | | NSS ships with a default | 766 | | | policy that defines which | 767 | | | cipher suites are enabled by | 768 | | | default. An application is | 769 | | | able to modify the policy used | 770 | | | at program runtime, by using | 771 | | | function calls to modify the | 772 | | | set of enabled cipher suites. | 773 | | | If a programmer wants to | 774 | | | influence how NSS verifies | 775 | | | certificates or how NSS | 776 | | | verifies the data presented in | 777 | | | a SSL connection handshake, it | 778 | | | is possible to register | 779 | | | application-defined callback | 780 | | | functions which will be called | 781 | | | by NSS at the appropriate | 782 | | | point of time, and which can | 783 | | | be used to override the | 784 | | | decisions made by NSS. | 785 | | | If you would like to use NSS | 786 | | | as a toolkit that implements | 787 | | | SSL, remember that you must | 788 | | | init NSS first. But if you | 789 | | | don't care about modifying the | 790 | | | default trust permanently | 791 | | | (recorded on disk), you can | 792 | | | use the no-database init | 793 | | | calls. When creating the | 794 | | | network socket for data | 795 | | | exchange, note that you must | 796 | | | use the operating system | 797 | | | independent APIs provided by | 798 | | | NSPR and NSS. It might be | 799 | | | interesting to mention a | 800 | | | property of the NSPR file | 801 | | | descriptors, which are stacked | 802 | | | in layers. This means you can | 803 | | | define multiple layers that | 804 | | | are involved in data | 805 | | | processing. A file descriptor | 806 | | | has a pointer to the first | 807 | | | layer handling the data. That | 808 | | | layer has a pointer to a | 809 | | | potential second layer, which | 810 | | | might have another pointer to | 811 | | | a third layer, etc. Each layer | 812 | | | defines its own functions for | 813 | | | the | 814 | | | ope | 815 | | | n/close/read/write/poll/select | 816 | | | (etc.) functions. When using | 817 | | | an SSL network connection, | 818 | | | you'll already have two | 819 | | | layers, the basic NSPR layer | 820 | | | and an SSL library layer. The | 821 | | | Mozilla applications define a | 822 | | | third layer where application | 823 | | | specific processing is | 824 | | | performed. You can find more | 825 | | | details in the NSPR reference | 826 | | | documents. | 827 | | | NSS occassionally has to | 828 | | | create outbound network | 829 | | | connections, in addition to | 830 | | | the connections requested by | 831 | | | the application. Examples are | 832 | | | retrieving OCSP (Online | 833 | | | Certificate Status Protocol) | 834 | | | information or downloading a | 835 | | | CRL (Certificate Revocation | 836 | | | List). However, NSS doesn't | 837 | | | have an implementation to work | 838 | | | with network proxies. If you | 839 | | | must support proxies in your | 840 | | | application, you are able to | 841 | | | register your own | 842 | | | implementation of an http | 843 | | | request callback interface, | 844 | | | and NSS can use your | 845 | | | application code that supports | 846 | | | proxies. | 847 | | | When using hashing, | 848 | | | encryption, and decryption | 849 | | | functions, it is possible to | 850 | | | stream data (as opposed to | 851 | | | operating on a large buffer). | 852 | | | Create a context handle while | 853 | | | providing all the parameters | 854 | | | required for the operation, | 855 | | | then call an “update” function | 856 | | | multiple times to pass subsets | 857 | | | of the input to NSS. The data | 858 | | | will be processed and either | 859 | | | returned directly or sent to a | 860 | | | callback function registered | 861 | | | in the context. When done, you | 862 | | | call a finalization function | 863 | | | that will flush out any | 864 | | | pending data and free the | 865 | | | resources. | 866 | | | This line is a placeholder for | 867 | | | future sections that should | 868 | | | explain how libpkix works and | 869 | | | is designed. | 870 | | | If you want to work with NSS, | 871 | | | it's often helpful to use the | 872 | | | command line utilities that | 873 | | | are provided by the NSS | 874 | | | developers. There are tools | 875 | | | for managing NSS databases, | 876 | | | for dumping or verifying | 877 | | | certificates, for registering | 878 | | | PKCS#11 modules with a | 879 | | | database, for processing CMS | 880 | | | encrypted/signed messages, | 881 | | | etc. | 882 | | | For example, if you wanted to | 883 | | | create your own pair of keys | 884 | | | and request a new certificate | 885 | | | from a CA, you could use | 886 | | | certutil to create an empty | 887 | | | database, then use certutil to | 888 | | | operate on your database and | 889 | | | create a certificate request | 890 | | | (which involves creating the | 891 | | | desired key pair) and export | 892 | | | it to a file, submit the | 893 | | | request file to the CA, | 894 | | | receive the file from the CA, | 895 | | | and import the certificate | 896 | | | into your database. You should | 897 | | | assign a good nickname to a | 898 | | | certificate when importing it, | 899 | | | making it easier for you to | 900 | | | refer to it later. | 901 | | | It should be noted that the | 902 | | | first database format that can | 903 | | | be accessed simultaneously by | 904 | | | multiple applications is | 905 | | | key4.db/cert9.db – database | 906 | | | files with lower numbers will | 907 | | | most likely experience | 908 | | | unrecoverable corruption if | 909 | | | you access them with multiple | 910 | | | applications at the same time. | 911 | | | In other words, if your | 912 | | | browser or your server | 913 | | | operates on an older NSS | 914 | | | database format, don't use the | 915 | | | NSS tools to operate on it | 916 | | | while the other software is | 917 | | | executing. At the time of | 918 | | | writing NSS and the Mozilla | 919 | | | applications still use the | 920 | | | older database file format by | 921 | | | default, where each | 922 | | | application has its own NSS | 923 | | | database. | 924 | | | If you require a copy of a | 925 | | | certificate stored in an NSS | 926 | | | database, including its | 927 | | | private key, you can use | 928 | | | pk12util to export it to the | 929 | | | PKCS#12 file format. If you | 930 | | | require it in PEM format, you | 931 | | | could use the openssl pkcs12 | 932 | | | command (that's not NSS) to | 933 | | | convert the PKCS#12 file to | 934 | | | PEM. | 935 | | | This line is a placeholder for | 936 | | | how to prepare a database, how | 937 | | | to dump a cert, and how to | 938 | | | convert data. | 939 | | | You might have been motivated | 940 | | | to work with NSS because it is | 941 | | | used by the Mozilla | 942 | | | applications such as Firefox, | 943 | | | Thunderbird, etc. If you build | 944 | | | the Mozilla application, it | 945 | | | will automatically build the | 946 | | | NSS library, too. However, if | 947 | | | you want to work with the NSS | 948 | | | command line tools, you will | 949 | | | have to follow the standalone | 950 | | | NSS build instructions, and | 951 | | | build NSS outside of the | 952 | | | Mozilla application sources. | 953 | | | The key database file will | 954 | | | contain at least one symmetric | 955 | | | key, which NSS will | 956 | | | automatically create on | 957 | | | demand, and which will be used | 958 | | | to protect your secret | 959 | | | (private) keys. The symmetric | 960 | | | key can be protected with PBE | 961 | | | by setting a master password | 962 | | | on the database. As soon as | 963 | | | you set a master password, an | 964 | | | attacker stealing your key | 965 | | | database will no longer be | 966 | | | able to get access to your | 967 | | | private key, unless the | 968 | | | attacker would also succeed in | 969 | | | stealing the master password. | 970 | | | Now you might be interest in | 971 | | | how to get the | 972 | | | :ref:`mozilla_projects_nss | 973 | | | _nss_sources_building_testing` | 974 +--------------------------------+--------------------------------+--------------------------------+ 975 | | | | 976 +--------------------------------+--------------------------------+--------------------------------+ 977 | 3 | :ref:`mozill | **NSS** | 978 | | a_projects_nss_blank_function` | | 979 +--------------------------------+--------------------------------+--------------------------------+ 980 | | | One-line description of what | 981 | | | the function does (more than | 982 | | | just what it returns). | 983 +--------------------------------+--------------------------------+--------------------------------+ 984 | | | | 985 +--------------------------------+--------------------------------+--------------------------------+ 986 | 4 | :ref:` | **Guide, NSS, Security** | 987 | | mozilla_projects_nss_building` | | 988 +--------------------------------+--------------------------------+--------------------------------+ 989 | | | This page has detailed | 990 | | | information on how to build | 991 | | | NSS. Because NSS is a | 992 | | | cross-platform library that | 993 | | | builds on many different | 994 | | | platforms and has many | 995 | | | options, it may be complex to | 996 | | | build. Please read these | 997 | | | instructions carefully before | 998 | | | attempting to build. | 999 +--------------------------------+--------------------------------+--------------------------------+ 1000 | | | | 1001 +--------------------------------+--------------------------------+--------------------------------+ 1002 | 5 | :ref:`mozilla_projec | **NSS** | 1003 | | ts_nss_cert_findcertbydercert` | | 1004 +--------------------------------+--------------------------------+--------------------------------+ 1005 | | | Find a certificate in the | 1006 | | | database that matches a | 1007 | | | DER-encoded certificate. | 1008 +--------------------------------+--------------------------------+--------------------------------+ 1009 | | | | 1010 +--------------------------------+--------------------------------+--------------------------------+ 1011 | 6 | :ref:`mozilla_projects_n | **NSS** | 1012 | | ss_cert_findcertbyissuerandsn` | | 1013 +--------------------------------+--------------------------------+--------------------------------+ 1014 | | | Find a certificate in the | 1015 | | | database with the given issuer | 1016 | | | and serial number. | 1017 +--------------------------------+--------------------------------+--------------------------------+ 1018 | | | | 1019 +--------------------------------+--------------------------------+--------------------------------+ 1020 | 7 | :r | **NSS** | 1021 | | ef:`mozilla_projects_nss_certi | | 1022 | | ficate_download_specification` | | 1023 +--------------------------------+--------------------------------+--------------------------------+ 1024 | | | This document describes the | 1025 | | | data formats used by NSS 3.x | 1026 | | | for installing certificates. | 1027 | | | This document is currently | 1028 | | | being revised and has not yet | 1029 | | | been reviewed for accuracy. | 1030 +--------------------------------+--------------------------------+--------------------------------+ 1031 | | | | 1032 +--------------------------------+--------------------------------+--------------------------------+ 1033 | 8 | :ref:`mozilla_proje | **NSS** | 1034 | | cts_nss_certificate_functions` | | 1035 +--------------------------------+--------------------------------+--------------------------------+ 1036 | | | The public functions listed | 1037 | | | here are used to interact with | 1038 | | | certificate databases. | 1039 +--------------------------------+--------------------------------+--------------------------------+ 1040 | | | | 1041 +--------------------------------+--------------------------------+--------------------------------+ 1042 | 9 | :ref:`mozill | **NSS** | 1043 | | a_projects_nss_certverify_log` | | 1044 +--------------------------------+--------------------------------+--------------------------------+ 1045 | | | All the NSS verify functions | 1046 | | | except, the \*VerifyNow() | 1047 | | | functions, take a parameter | 1048 | | | called 'CERTVerifyLog'. If you | 1049 | | | supply the log parameter, NSS | 1050 | | | will continue chain validation | 1051 | | | after each error . The log | 1052 | | | tells you what the problem was | 1053 | | | with the chain and what | 1054 | | | certificate in the chain | 1055 | | | failed. | 1056 +--------------------------------+--------------------------------+--------------------------------+ 1057 | | | | 1058 +--------------------------------+--------------------------------+--------------------------------+ 1059 | 10 | :ref:`mozil | **NSS** | 1060 | | la_projects_nss_code_coverage` | | 1061 +--------------------------------+--------------------------------+--------------------------------+ 1062 | | | *No summary!* | 1063 +--------------------------------+--------------------------------+--------------------------------+ 1064 | | | | 1065 +--------------------------------+--------------------------------+--------------------------------+ 1066 | 11 | :ref:`mozilla_projec | **NSS** | 1067 | | ts_nss_cryptography_functions` | | 1068 +--------------------------------+--------------------------------+--------------------------------+ 1069 | | | The public functions listed | 1070 | | | here perform cryptographic | 1071 | | | operations based on the PKCS | 1072 | | | #11 interface. | 1073 +--------------------------------+--------------------------------+--------------------------------+ 1074 | | | | 1075 +--------------------------------+--------------------------------+--------------------------------+ 1076 | 12 | :ref:`mozilla_projects | **NSS** | 1077 | | _nss_deprecated_ssl_functions` | | 1078 +--------------------------------+--------------------------------+--------------------------------+ 1079 | | | The following SSL functions | 1080 | | | have been replaced with newer | 1081 | | | versions. The deprecated | 1082 | | | functions are not supported by | 1083 | | | the new SSL shared libraries. | 1084 | | | Applications that want to use | 1085 | | | the SSL shared libraries must | 1086 | | | convert to calling the new | 1087 | | | replacement functions listed | 1088 | | | below. | 1089 +--------------------------------+--------------------------------+--------------------------------+ 1090 | | | | 1091 +--------------------------------+--------------------------------+--------------------------------+ 1092 | 13 | :ref:`mozil | **Decrypt, Encryption, | 1093 | | la_projects_nss_encrypt_decryp | Example, NSS, Sample code** | 1094 | | t_mac_keys_as_session_objects` | | 1095 +--------------------------------+--------------------------------+--------------------------------+ 1096 | | | Generates encryption/mac keys | 1097 | | | and uses session objects. | 1098 +--------------------------------+--------------------------------+--------------------------------+ 1099 | | | | 1100 +--------------------------------+--------------------------------+--------------------------------+ 1101 | 14 | :ref:`mozilla_projects_nss_en | **Example, Intermediate, | 1102 | | crypt_decrypt_mac_using_token` | Mozilla, NSS** | 1103 +--------------------------------+--------------------------------+--------------------------------+ 1104 | | | Generates encryption/mac keys | 1105 | | | and uses token for storing. | 1106 +--------------------------------+--------------------------------+--------------------------------+ 1107 | | | | 1108 +--------------------------------+--------------------------------+--------------------------------+ 1109 | 15 | : | **NSS, NeedsUpdate** | 1110 | | ref:`mozilla_projects_nss_faq` | | 1111 +--------------------------------+--------------------------------+--------------------------------+ 1112 | | | NSS is set of libraries, APIs, | 1113 | | | utilities, and documentation | 1114 | | | designed to support | 1115 | | | cross-platform development of | 1116 | | | security-enabled client and | 1117 | | | server applications. It | 1118 | | | provides a complete | 1119 | | | open-source implementation of | 1120 | | | the crypto libraries used by | 1121 | | | Mozilla and other companies in | 1122 | | | the Firefox browser, AOL | 1123 | | | Instant Messenger (AIM), | 1124 | | | server products from Red Hat, | 1125 | | | and other products. | 1126 +--------------------------------+--------------------------------+--------------------------------+ 1127 | | | | 1128 +--------------------------------+--------------------------------+--------------------------------+ 1129 | 16 | :ref:`mozilla_projects_n | **NSS** | 1130 | | ss_fips_mode_-_an_explanation` | | 1131 +--------------------------------+--------------------------------+--------------------------------+ 1132 | | | NSS has a "FIPS Mode" that can | 1133 | | | be enabled when NSS is | 1134 | | | compiled in a specific way. | 1135 | | | (Note: Mozilla does not | 1136 | | | distribute a "FIPS Mode"-ready | 1137 | | | NSS with Firefox.) This page | 1138 | | | attempts to provide an | 1139 | | | informal explanation of what | 1140 | | | it is, who would use it, and | 1141 | | | why. | 1142 +--------------------------------+--------------------------------+--------------------------------+ 1143 | | | | 1144 +--------------------------------+--------------------------------+--------------------------------+ 1145 | 17 | :ref:`mozilla_projects | **Samples WIP** | 1146 | | _nss_getting_started_with_nss` | | 1147 +--------------------------------+--------------------------------+--------------------------------+ 1148 | | | Network Security Services | 1149 | | | (NSS) is a base library for | 1150 | | | cryptographic algorithms and | 1151 | | | secure network protocols used | 1152 | | | by Mozilla software. | 1153 | | | Would you like to get involved | 1154 | | | and help us to improve the | 1155 | | | core security of Mozilla | 1156 | | | Firefox and other applications | 1157 | | | that make use of NSS? We are | 1158 | | | looking forward to your | 1159 | | | contributions! | 1160 | | | We have a large list of tasks | 1161 | | | waiting for attention, and we | 1162 | | | are happy to assist you in | 1163 | | | identifying areas that match | 1164 | | | your interest or skills. You | 1165 | | | can find us on `Mozilla | 1166 | | | IRC <https://developer.mo | 1167 | | | zilla.org/en-US/docs/Mozilla/Q | 1168 | | | A/Getting_Started_with_IRC>`__ | 1169 | | | in channel | 1170 | | | `#nss < | 1171 | | | irc://irc.mozilla.org/#nss>`__ | 1172 | | | or you could ask your | 1173 | | | questions on the | 1174 | | | `mozilla.dev.tech.cry | 1175 | | | pto <https://lists.mozilla.org | 1176 | | | /listinfo/dev-tech-crypto/>`__ | 1177 | | | newsgroup. | 1178 +--------------------------------+--------------------------------+--------------------------------+ 1179 | | | | 1180 +--------------------------------+--------------------------------+--------------------------------+ 1181 | 18 | :ref:`mozilla_proje | **Advanced, Guide, NSS** | 1182 | | cts_nss_http_delegation_clone` | | 1183 +--------------------------------+--------------------------------+--------------------------------+ 1184 | | | Up to version 3.11, | 1185 | | | :ref:`mozilla_projects_nss` | 1186 | | | connects directly over | 1187 | | | `HTTP <https://developer.mozil | 1188 | | | la.org/en-US/docs/Web/HTTP>`__ | 1189 | | | to an OCSP responder to make | 1190 | | | the request and fetch the | 1191 | | | response. It does so in a | 1192 | | | blocking fashion, and also | 1193 | | | directly to the responder, | 1194 | | | ignoring any proxy the | 1195 | | | application may wish to use. | 1196 | | | This causes OCSP requests to | 1197 | | | fail if the network | 1198 | | | environment requires the use | 1199 | | | of a proxy. | 1200 +--------------------------------+--------------------------------+--------------------------------+ 1201 | | | | 1202 +--------------------------------+--------------------------------+--------------------------------+ 1203 | 19 | :ref:`mozilla | **Advanced, Guide, NSS** | 1204 | | _projects_nss_http_delegation` | | 1205 +--------------------------------+--------------------------------+--------------------------------+ 1206 | | | Up to version 3.11, | 1207 | | | :ref:`mozilla_projects_nss` | 1208 | | | connects directly over | 1209 | | | `HTTP <https://developer.mozil | 1210 | | | la.org/en-US/docs/Web/HTTP>`__ | 1211 | | | to an OCSP responder to make | 1212 | | | the request and fetch the | 1213 | | | response. It does so in a | 1214 | | | blocking fashion, and also | 1215 | | | directly to the responder, | 1216 | | | ignoring any proxy the | 1217 | | | application may wish to use. | 1218 | | | This causes OCSP requests to | 1219 | | | fail if the network | 1220 | | | environment requires the use | 1221 | | | of a proxy. | 1222 +--------------------------------+--------------------------------+--------------------------------+ 1223 | | | | 1224 +--------------------------------+--------------------------------+--------------------------------+ 1225 | 20 | :ref:`moz | **Introduction, Mozilla, NSS** | 1226 | | illa_projects_nss_introduction | | 1227 | | _to_network_security_services` | | 1228 +--------------------------------+--------------------------------+--------------------------------+ 1229 | | | **Network Security Services | 1230 | | | (NSS)** is a set of libraries | 1231 | | | designed to support | 1232 | | | cross-platform development of | 1233 | | | communications applications | 1234 | | | that support SSL, S/MIME, and | 1235 | | | other Internet security | 1236 | | | standards. For a general | 1237 | | | overview of NSS and the | 1238 | | | standards it supports, see | 1239 | | | :ref:`m | 1240 | | | ozilla_projects_nss_overview`. | 1241 +--------------------------------+--------------------------------+--------------------------------+ 1242 | | | | 1243 +--------------------------------+--------------------------------+--------------------------------+ 1244 | 21 | :ref:`mozilla_project | **D** | 1245 | | s_nss_jss_4_4_0_release_notes` | | 1246 +--------------------------------+--------------------------------+--------------------------------+ 1247 | | | The Java Security Services | 1248 | | | (JSS) team has released JSS | 1249 | | | 4.4.0, which is a minor | 1250 | | | release. | 1251 +--------------------------------+--------------------------------+--------------------------------+ 1252 | | | | 1253 +--------------------------------+--------------------------------+--------------------------------+ 1254 | 22 | : | **Guide, JSS, NSS, | 1255 | | ref:`mozilla_projects_nss_jss` | NeedsMigration** | 1256 +--------------------------------+--------------------------------+--------------------------------+ 1257 | | | **The JSS project has been | 1258 | | | relocated!** | 1259 +--------------------------------+--------------------------------+--------------------------------+ 1260 | | | | 1261 +--------------------------------+--------------------------------+--------------------------------+ 1262 | 23 | :ref:`mozilla_proj | **JSS, NSS** | 1263 | | ects_nss_jss_4_3_releasenotes` | | 1264 +--------------------------------+--------------------------------+--------------------------------+ 1265 | | | Network Security Services for | 1266 | | | Java (JSS) 4.3 is a minor | 1267 | | | release with the following new | 1268 | | | features: | 1269 +--------------------------------+--------------------------------+--------------------------------+ 1270 | | | | 1271 +--------------------------------+--------------------------------+--------------------------------+ 1272 | 24 | :ref:`mozilla_project | **JSS, NSPR, NSS** | 1273 | | s_nss_jss_4_3_1_release_notes` | | 1274 +--------------------------------+--------------------------------+--------------------------------+ 1275 | | | Network Security Services for | 1276 | | | Java (JSS) 4.3.1 is a minor | 1277 | | | release with the following new | 1278 | | | features: | 1279 +--------------------------------+--------------------------------+--------------------------------+ 1280 | | | | 1281 +--------------------------------+--------------------------------+--------------------------------+ 1282 | 25 | :ref | **JSS** | 1283 | | :`mozilla_projects_nss_jss_bui | | 1284 | | ld_instructions_for_jss_4_3_x` | | 1285 +--------------------------------+--------------------------------+--------------------------------+ 1286 | | | Newsgroup: | 1287 | | | `mozilla.dev.tech | 1288 | | | .crypto <news://news.mozilla.o | 1289 | | | rg/mozilla.dev.tech.crypto>`__ | 1290 +--------------------------------+--------------------------------+--------------------------------+ 1291 | | | | 1292 +--------------------------------+--------------------------------+--------------------------------+ 1293 | 26 | :ref | **JSS** | 1294 | | :`mozilla_projects_nss_jss_bui | | 1295 | | ld_instructions_for_jss_4_4_x` | | 1296 +--------------------------------+--------------------------------+--------------------------------+ 1297 | | | Newsgroup: | 1298 | | | `mozilla.dev.tech | 1299 | | | .crypto <news://news.mozilla.o | 1300 | | | rg/mozilla.dev.tech.crypto>`__ | 1301 +--------------------------------+--------------------------------+--------------------------------+ 1302 | | | | 1303 +--------------------------------+--------------------------------+--------------------------------+ 1304 | 27 | :ref:`moz | **JSS** | 1305 | | illa_projects_nss_jss_jss_faq` | | 1306 +--------------------------------+--------------------------------+--------------------------------+ 1307 | | | Newsgroup: | 1308 | | | `mozilla.dev.tech.cry | 1309 | | | pto <news://news.mozilla.org:1 | 1310 | | | 19/mozilla.dev.tech.crypto>`__ | 1311 +--------------------------------+--------------------------------+--------------------------------+ 1312 | | | | 1313 +--------------------------------+--------------------------------+--------------------------------+ 1314 | 28 | :ref:`mozilla_projec | **Crypto, JSS, Security** | 1315 | | ts_nss_jss_jss_provider_notes` | | 1316 +--------------------------------+--------------------------------+--------------------------------+ 1317 | | | This page has been moved to | 1318 | | | http://www.do | 1319 | | | gtagpki.org/wiki/JSS_Provider. | 1320 +--------------------------------+--------------------------------+--------------------------------+ 1321 | | | | 1322 +--------------------------------+--------------------------------+--------------------------------+ 1323 | 29 | :r | | 1324 | | ef:`mozilla_projects_nss_jss_m | | 1325 | | ozilla-jss_jca_provider_notes` | | 1326 +--------------------------------+--------------------------------+--------------------------------+ 1327 | | | * | 1328 | | | Newsgroup:*\ `mozilla.dev.tech | 1329 | | | .crypto <news://news.mozilla.o | 1330 | | | rg/mozilla.dev.tech.crypto>`__ | 1331 +--------------------------------+--------------------------------+--------------------------------+ 1332 | | | | 1333 +--------------------------------+--------------------------------+--------------------------------+ 1334 | 30 | :ref:`mozil | **JSS** | 1335 | | la_projects_nss_jss_using_jss` | | 1336 +--------------------------------+--------------------------------+--------------------------------+ 1337 | | | *News | 1338 | | | group:*\ `mozilla.dev.tech.cry | 1339 | | | pto <news://news.mozilla.org:1 | 1340 | | | 19/mozilla.dev.tech.crypto>`__ | 1341 +--------------------------------+--------------------------------+--------------------------------+ 1342 | | | | 1343 +--------------------------------+--------------------------------+--------------------------------+ 1344 | 31 | :ref:`mozill | | 1345 | | a_projects_nss_key_log_format` | | 1346 +--------------------------------+--------------------------------+--------------------------------+ 1347 | | | Key logs can be written by NSS | 1348 | | | so that external programs can | 1349 | | | decrypt TLS connections. | 1350 | | | Wireshark 1.6.0 and above can | 1351 | | | use these log files to decrypt | 1352 | | | packets. You can tell | 1353 | | | Wireshark where to find the | 1354 | | | key file via | 1355 | | | *Edit→Preferences→Pro | 1356 | | | tocols→TLS→(Pre)-Master-Secret | 1357 | | | log filename*. | 1358 +--------------------------------+--------------------------------+--------------------------------+ 1359 | | | | 1360 +--------------------------------+--------------------------------+--------------------------------+ 1361 | 32 | :ref:`mozilla_p | **NSS** | 1362 | | rojects_nss_memory_allocation` | | 1363 +--------------------------------+--------------------------------+--------------------------------+ 1364 | | | NSS makes extensive use of | 1365 | | | NSPR's PLArenaPools for memory | 1366 | | | allocation. | 1367 +--------------------------------+--------------------------------+--------------------------------+ 1368 | | | | 1369 +--------------------------------+--------------------------------+--------------------------------+ 1370 | 33 | :ref:`mozilla_pr | | 1371 | | ojects_nss_modutil-tasks_html` | | 1372 +--------------------------------+--------------------------------+--------------------------------+ 1373 | | | *No summary!* | 1374 +--------------------------------+--------------------------------+--------------------------------+ 1375 | | | | 1376 +--------------------------------+--------------------------------+--------------------------------+ 1377 | 34 | :ref:`mozilla | **Example** | 1378 | | _projects_nss_new_nss_samples` | | 1379 +--------------------------------+--------------------------------+--------------------------------+ 1380 | | | This collection of sample code | 1381 | | | demonstrates how NSS can be | 1382 | | | used for cryptographic | 1383 | | | operations, certificate | 1384 | | | handling, SSL, etc. It also | 1385 | | | demonstrates some best | 1386 | | | practices in the application | 1387 | | | of cryptography. | 1388 +--------------------------------+--------------------------------+--------------------------------+ 1389 | | | | 1390 +--------------------------------+--------------------------------+--------------------------------+ 1391 | 35 | :ref:`moz | **Gecko, NSS, Security** | 1392 | | illa_projects_nss_notes_on_tls | | 1393 | | _-_ssl_3_0_intolerant_servers` | | 1394 +--------------------------------+--------------------------------+--------------------------------+ 1395 | | | A number of Netscape 6.x/7.x | 1396 | | | and Mozilla users have | 1397 | | | reported that some secure | 1398 | | | sites -- typically sites | 1399 | | | featuring online transactions | 1400 | | | or online banking over the | 1401 | | | HTTPS protocol -- do not | 1402 | | | display any content at all. | 1403 | | | The connection seems | 1404 | | | terminated and a blank page is | 1405 | | | displayed. This is the main | 1406 | | | symptom of the problem when | 1407 | | | Mozilla based browsers | 1408 | | | encounter TLS/SSL 3.0 | 1409 | | | intolerant servers. | 1410 +--------------------------------+--------------------------------+--------------------------------+ 1411 | | | | 1412 +--------------------------------+--------------------------------+--------------------------------+ 1413 | 36 | :ref:`mozilla_projects_nss_n | | 1414 | | ss_3_11_10_release_notes_html` | | 1415 +--------------------------------+--------------------------------+--------------------------------+ 1416 | | | Newsgroup: <ahref="news: | 1417 | | | mozilla.dev.tech.crypto"="" | 1418 | | | news.mozilla.org="">mozilla. | 1419 | | | dev.tech.crypto</ahref="news:> | 1420 +--------------------------------+--------------------------------+--------------------------------+ 1421 | | | | 1422 +--------------------------------+--------------------------------+--------------------------------+ 1423 | 37 | :ref:`mozilla_projects_ns | | 1424 | | s_nss_3_12_release_notes_html` | | 1425 +--------------------------------+--------------------------------+--------------------------------+ 1426 | | | Newsgroup: | 1427 | | | `mozilla.dev.tech | 1428 | | | .crypto <news://news.mozilla.o | 1429 | | | rg/mozilla.dev.tech.crypto>`__ | 1430 +--------------------------------+--------------------------------+--------------------------------+ 1431 | | | | 1432 +--------------------------------+--------------------------------+--------------------------------+ 1433 | 38 | :ref:`mozilla_projects_nss_ | | 1434 | | nss_3_12_1_release_notes_html` | | 1435 +--------------------------------+--------------------------------+--------------------------------+ 1436 | | | Newsgroup: | 1437 | | | `mozilla.dev.tech | 1438 | | | .crypto <news://news.mozilla.o | 1439 | | | rg/mozilla.dev.tech.crypto>`__ | 1440 +--------------------------------+--------------------------------+--------------------------------+ 1441 | | | | 1442 +--------------------------------+--------------------------------+--------------------------------+ 1443 | 39 | :ref:`mozilla_projects_nss_ | | 1444 | | nss_3_12_2_release_notes_html` | | 1445 +--------------------------------+--------------------------------+--------------------------------+ 1446 | | | Newsgroup: | 1447 | | | `mozilla.dev.tech | 1448 | | | .crypto <news://news.mozilla.o | 1449 | | | rg/mozilla.dev.tech.crypto>`__ | 1450 +--------------------------------+--------------------------------+--------------------------------+ 1451 | | | | 1452 +--------------------------------+--------------------------------+--------------------------------+ 1453 | 40 | :ref:`mozilla_projects | | 1454 | | _nss_nss_3_12_3_release_notes` | | 1455 +--------------------------------+--------------------------------+--------------------------------+ 1456 | | | Newsgroup: | 1457 | | | `mozilla.dev.tech | 1458 | | | .crypto <news://news.mozilla.o | 1459 | | | rg/mozilla.dev.tech.crypto>`__ | 1460 +--------------------------------+--------------------------------+--------------------------------+ 1461 | | | | 1462 +--------------------------------+--------------------------------+--------------------------------+ 1463 | 41 | :ref:`mozilla_projects | | 1464 | | _nss_nss_3_12_4_release_notes` | | 1465 +--------------------------------+--------------------------------+--------------------------------+ 1466 | | | Network Security Services | 1467 | | | (NSS) 3.12.4 is a patch | 1468 | | | release for NSS 3.12. The bug | 1469 | | | fixes in NSS 3.12.4 are | 1470 | | | described in the "`Bugs | 1471 | | | Fixed <#bugsfixed>`__" section | 1472 | | | below. | 1473 +--------------------------------+--------------------------------+--------------------------------+ 1474 | | | | 1475 +--------------------------------+--------------------------------+--------------------------------+ 1476 | 42 | :ref:`mozilla_projects | | 1477 | | _nss_nss_3_12_5_release_notes` | | 1478 +--------------------------------+--------------------------------+--------------------------------+ 1479 | | | Network Security Services | 1480 | | | (NSS) 3.12.5 is a patch | 1481 | | | release for NSS 3.12. The bug | 1482 | | | fixes in NSS 3.12.5 are | 1483 | | | described in the "`Bugs | 1484 | | | Fixed <https | 1485 | | | ://dev.mozilla.jp/localmdc/loc | 1486 | | | almdc_5125.html#bugsfixed>`__" | 1487 | | | section below. | 1488 +--------------------------------+--------------------------------+--------------------------------+ 1489 | | | | 1490 +--------------------------------+--------------------------------+--------------------------------+ 1491 | 43 | :ref:`mozilla_projects | | 1492 | | _nss_nss_3_12_6_release_notes` | | 1493 +--------------------------------+--------------------------------+--------------------------------+ 1494 | | | Network Security Services | 1495 | | | (NSS) 3.12.6 is a patch | 1496 | | | release for NSS 3.12. The bug | 1497 | | | fixes in NSS 3.12.6 are | 1498 | | | described in the "`Bugs | 1499 | | | Fixed <http://md | 1500 | | | n.beonex.com/en/NSS_3.12.6_rel | 1501 | | | ease_notes.html#bugsfixed>`__" | 1502 | | | section below. | 1503 +--------------------------------+--------------------------------+--------------------------------+ 1504 | | | | 1505 +--------------------------------+--------------------------------+--------------------------------+ 1506 | 44 | :ref:`mozilla_projects | **NSS** | 1507 | | _nss_nss_3_12_9_release_notes` | | 1508 +--------------------------------+--------------------------------+--------------------------------+ 1509 | | | Network Security Services | 1510 | | | (NSS) 3.12.9 is a patch | 1511 | | | release for NSS 3.12. The bug | 1512 | | | fixes in NSS 3.12.9 are | 1513 | | | described in the "\ `Bugs | 1514 | | | Fixed <#bugsfixed>`__" section | 1515 | | | below. | 1516 +--------------------------------+--------------------------------+--------------------------------+ 1517 | | | | 1518 +--------------------------------+--------------------------------+--------------------------------+ 1519 | 45 | :ref:`mozilla_projec | | 1520 | | ts_nss_nss_3_14_release_notes` | | 1521 +--------------------------------+--------------------------------+--------------------------------+ 1522 | | | The NSS team has released | 1523 | | | Network Security Services | 1524 | | | (NSS) 3.14, which is a minor | 1525 | | | release with the following new | 1526 | | | features: | 1527 +--------------------------------+--------------------------------+--------------------------------+ 1528 | | | | 1529 +--------------------------------+--------------------------------+--------------------------------+ 1530 | 46 | :ref:`mozilla_projects | | 1531 | | _nss_nss_3_14_1_release_notes` | | 1532 +--------------------------------+--------------------------------+--------------------------------+ 1533 | | | Network Security Services | 1534 | | | (NSS) 3.14.1 is a patch | 1535 | | | release for NSS 3.14. The bug | 1536 | | | fixes in NSS 3.14.1 are | 1537 | | | described in the "Bugs Fixed" | 1538 | | | section below. | 1539 +--------------------------------+--------------------------------+--------------------------------+ 1540 | | | | 1541 +--------------------------------+--------------------------------+--------------------------------+ 1542 | 47 | :ref:`mozilla_projects | | 1543 | | _nss_nss_3_14_2_release_notes` | | 1544 +--------------------------------+--------------------------------+--------------------------------+ 1545 | | | Network Security Services | 1546 | | | (NSS) 3.14.2 is a patch | 1547 | | | release for NSS 3.14. The bug | 1548 | | | fixes in NSS 3.14.2 are | 1549 | | | described in the "Bugs Fixed" | 1550 | | | section below. NSS 3.14.2 | 1551 | | | should be used with NSPR 4.9.5 | 1552 | | | or newer. | 1553 +--------------------------------+--------------------------------+--------------------------------+ 1554 | | | | 1555 +--------------------------------+--------------------------------+--------------------------------+ 1556 | 48 | :ref:`mozilla_projects | | 1557 | | _nss_nss_3_14_3_release_notes` | | 1558 +--------------------------------+--------------------------------+--------------------------------+ 1559 | | | Network Security Services | 1560 | | | (NSS) 3.14.3 is a patch | 1561 | | | release for NSS 3.14. The bug | 1562 | | | fixes in NSS 3.14.3 are | 1563 | | | described in the "Bugs Fixed" | 1564 | | | section below. | 1565 +--------------------------------+--------------------------------+--------------------------------+ 1566 | | | | 1567 +--------------------------------+--------------------------------+--------------------------------+ 1568 | 49 | :ref:`mozilla_projects | | 1569 | | _nss_nss_3_14_4_release_notes` | | 1570 +--------------------------------+--------------------------------+--------------------------------+ 1571 | | | Network Security Services | 1572 | | | (NSS) 3.14.4 is a patch | 1573 | | | release for NSS 3.14. The bug | 1574 | | | fixes in NSS 3.14.4 are | 1575 | | | described in the "Bugs Fixed" | 1576 | | | section below. | 1577 +--------------------------------+--------------------------------+--------------------------------+ 1578 | | | | 1579 +--------------------------------+--------------------------------+--------------------------------+ 1580 | 50 | :ref:`mozilla_projects | | 1581 | | _nss_nss_3_14_5_release_notes` | | 1582 +--------------------------------+--------------------------------+--------------------------------+ 1583 | | | Network Security Services | 1584 | | | (NSS) 3.14.5 is a patch | 1585 | | | release for NSS 3.14. The bug | 1586 | | | fixes in NSS 3.14.5 are | 1587 | | | described in the "Bugs Fixed" | 1588 | | | section below. | 1589 +--------------------------------+--------------------------------+--------------------------------+ 1590 | | | | 1591 +--------------------------------+--------------------------------+--------------------------------+ 1592 | 51 | :ref:`mozilla_projec | | 1593 | | ts_nss_nss_3_15_release_notes` | | 1594 +--------------------------------+--------------------------------+--------------------------------+ 1595 | | | The NSS team has released | 1596 | | | Network Security Services | 1597 | | | (NSS) 3.15, which is a minor | 1598 | | | release. | 1599 +--------------------------------+--------------------------------+--------------------------------+ 1600 | | | | 1601 +--------------------------------+--------------------------------+--------------------------------+ 1602 | 52 | :ref:`mozilla_projects | | 1603 | | _nss_nss_3_15_1_release_notes` | | 1604 +--------------------------------+--------------------------------+--------------------------------+ 1605 | | | Network Security Services | 1606 | | | (NSS) 3.15.1 is a patch | 1607 | | | release for NSS 3.15. The bug | 1608 | | | fixes in NSS 3.15.1 are | 1609 | | | described in the "Bugs Fixed" | 1610 | | | section below. | 1611 +--------------------------------+--------------------------------+--------------------------------+ 1612 | | | | 1613 +--------------------------------+--------------------------------+--------------------------------+ 1614 | 53 | :ref:`mozilla_projects | | 1615 | | _nss_nss_3_15_2_release_notes` | | 1616 +--------------------------------+--------------------------------+--------------------------------+ 1617 | | | Network Security Services | 1618 | | | (NSS) 3.15.2 is a patch | 1619 | | | release for NSS 3.15. The bug | 1620 | | | fixes in NSS 3.15.2 are | 1621 | | | described in the "Bugs Fixed" | 1622 | | | section below. | 1623 +--------------------------------+--------------------------------+--------------------------------+ 1624 | | | | 1625 +--------------------------------+--------------------------------+--------------------------------+ 1626 | 54 | :ref:`mozilla_projects | | 1627 | | _nss_nss_3_15_3_release_notes` | | 1628 +--------------------------------+--------------------------------+--------------------------------+ 1629 | | | Network Security Services | 1630 | | | (NSS) 3.15.3 is a patch | 1631 | | | release for NSS 3.15. The bug | 1632 | | | fixes in NSS 3.15.3 are | 1633 | | | described in the "Bugs Fixed" | 1634 | | | section below. | 1635 +--------------------------------+--------------------------------+--------------------------------+ 1636 | | | | 1637 +--------------------------------+--------------------------------+--------------------------------+ 1638 | 55 | :ref:`mozilla_projects_n | | 1639 | | ss_nss_3_15_3_1_release_notes` | | 1640 +--------------------------------+--------------------------------+--------------------------------+ 1641 | | | Network Security Services | 1642 | | | (NSS) 3.15.3.1 is a patch | 1643 | | | release for NSS 3.15. The bug | 1644 | | | fixes in NSS 3.15.3.1 are | 1645 | | | described in the "Bugs Fixed" | 1646 | | | section below. | 1647 +--------------------------------+--------------------------------+--------------------------------+ 1648 | | | | 1649 +--------------------------------+--------------------------------+--------------------------------+ 1650 | 56 | :ref:`mozilla_projects | | 1651 | | _nss_nss_3_15_4_release_notes` | | 1652 +--------------------------------+--------------------------------+--------------------------------+ 1653 | | | Network Security Services | 1654 | | | (NSS) 3.15.4 is a patch | 1655 | | | release for NSS 3.15. The bug | 1656 | | | fixes in NSS 3.15.4 are | 1657 | | | described in the "Bugs Fixed" | 1658 | | | section below. | 1659 +--------------------------------+--------------------------------+--------------------------------+ 1660 | | | | 1661 +--------------------------------+--------------------------------+--------------------------------+ 1662 | 57 | :ref:`mozilla_projects | | 1663 | | _nss_nss_3_15_5_release_notes` | | 1664 +--------------------------------+--------------------------------+--------------------------------+ 1665 | | | Network Security Services | 1666 | | | (NSS) 3.15.5 is a patch | 1667 | | | release for NSS 3.15. The bug | 1668 | | | fixes in NSS 3.15.5 are | 1669 | | | described in the "Bugs Fixed" | 1670 | | | section below. | 1671 +--------------------------------+--------------------------------+--------------------------------+ 1672 | | | | 1673 +--------------------------------+--------------------------------+--------------------------------+ 1674 | 58 | :ref:`mozilla_projec | | 1675 | | ts_nss_nss_3_16_release_notes` | | 1676 +--------------------------------+--------------------------------+--------------------------------+ 1677 | | | The NSS team has released | 1678 | | | Network Security Services | 1679 | | | (NSS) 3.16, which is a minor | 1680 | | | release. | 1681 +--------------------------------+--------------------------------+--------------------------------+ 1682 | | | | 1683 +--------------------------------+--------------------------------+--------------------------------+ 1684 | 59 | :ref:`mozilla_projects | | 1685 | | _nss_nss_3_16_1_release_notes` | | 1686 +--------------------------------+--------------------------------+--------------------------------+ 1687 | | | Network Security Services | 1688 | | | (NSS) 3.16.1 is a patch | 1689 | | | release for NSS 3.16. The bug | 1690 | | | fixes in NSS 3.16.1 are | 1691 | | | described in the "Bugs Fixed" | 1692 | | | section below. | 1693 +--------------------------------+--------------------------------+--------------------------------+ 1694 | | | | 1695 +--------------------------------+--------------------------------+--------------------------------+ 1696 | 60 | :ref:`mozilla_projects | | 1697 | | _nss_nss_3_16_2_release_notes` | | 1698 +--------------------------------+--------------------------------+--------------------------------+ 1699 | | | Network Security Services | 1700 | | | (NSS) 3.16.2 is a patch | 1701 | | | release for NSS 3.16. The bug | 1702 | | | fixes in NSS 3.16.2 are | 1703 | | | described in the "Bugs Fixed" | 1704 | | | section below. | 1705 +--------------------------------+--------------------------------+--------------------------------+ 1706 | | | | 1707 +--------------------------------+--------------------------------+--------------------------------+ 1708 | 61 | :ref:`mozilla_projects_n | **Reference, Security** | 1709 | | ss_nss_3_16_2_1_release_notes` | | 1710 +--------------------------------+--------------------------------+--------------------------------+ 1711 | | | Network Security Services | 1712 | | | (NSS) 3.16.2.1 is a patch | 1713 | | | release for NSS 3.16, based on | 1714 | | | the NSS 3.16.2 release. The | 1715 | | | bug fixes in NSS 3.16.2.1 are | 1716 | | | described in the "Bugs Fixed" | 1717 | | | section below. | 1718 +--------------------------------+--------------------------------+--------------------------------+ 1719 | | | | 1720 +--------------------------------+--------------------------------+--------------------------------+ 1721 | 62 | :ref:`mozilla_projects_n | **Reference, Security** | 1722 | | ss_nss_3_16_2_2_release_notes` | | 1723 +--------------------------------+--------------------------------+--------------------------------+ 1724 | | | Network Security Services | 1725 | | | (NSS) 3.16.2.2 is a patch | 1726 | | | release for NSS 3.16. The bug | 1727 | | | fixes in NSS 3.16.2.2 are | 1728 | | | described in the "Bugs Fixed" | 1729 | | | section below. | 1730 +--------------------------------+--------------------------------+--------------------------------+ 1731 | | | | 1732 +--------------------------------+--------------------------------+--------------------------------+ 1733 | 63 | :ref:`mozilla_projects_n | **Reference, Security** | 1734 | | ss_nss_3_16_2_3_release_notes` | | 1735 +--------------------------------+--------------------------------+--------------------------------+ 1736 | | | Network Security Services | 1737 | | | (NSS) 3.16.2.3 is a patch | 1738 | | | release for NSS 3.16. The bug | 1739 | | | fixes in NSS 3.16.2.3 are | 1740 | | | described in the "Bugs Fixed" | 1741 | | | section below. | 1742 +--------------------------------+--------------------------------+--------------------------------+ 1743 | | | | 1744 +--------------------------------+--------------------------------+--------------------------------+ 1745 | 64 | :ref:`mozilla_projects | | 1746 | | _nss_nss_3_16_3_release_notes` | | 1747 +--------------------------------+--------------------------------+--------------------------------+ 1748 | | | Network Security Services | 1749 | | | (NSS) 3.16.3 is a patch | 1750 | | | release for NSS 3.16. The bug | 1751 | | | fixes in NSS 3.16.3 are | 1752 | | | described in the "Bugs Fixed" | 1753 | | | section below. | 1754 +--------------------------------+--------------------------------+--------------------------------+ 1755 | | | | 1756 +--------------------------------+--------------------------------+--------------------------------+ 1757 | 65 | :ref:`mozilla_projects | | 1758 | | _nss_nss_3_16_4_release_notes` | | 1759 +--------------------------------+--------------------------------+--------------------------------+ 1760 | | | Network Security Services | 1761 | | | (NSS) 3.16.4 is a patch | 1762 | | | release for NSS 3.16. The bug | 1763 | | | fixes in NSS 3.16.4 are | 1764 | | | described in the "Bugs Fixed" | 1765 | | | section below. | 1766 +--------------------------------+--------------------------------+--------------------------------+ 1767 | | | | 1768 +--------------------------------+--------------------------------+--------------------------------+ 1769 | 66 | :ref:`mozilla_projects | **Reference, Security** | 1770 | | _nss_nss_3_16_5_release_notes` | | 1771 +--------------------------------+--------------------------------+--------------------------------+ 1772 | | | Network Security Services | 1773 | | | (NSS) 3.16.5 is a patch | 1774 | | | release for NSS 3.16. The bug | 1775 | | | fixes in NSS 3.16.5 are | 1776 | | | described in the "Bugs Fixed" | 1777 | | | section below. | 1778 +--------------------------------+--------------------------------+--------------------------------+ 1779 | | | | 1780 +--------------------------------+--------------------------------+--------------------------------+ 1781 | 67 | :ref:`mozilla_projects | **Reference, Security** | 1782 | | _nss_nss_3_16_6_release_notes` | | 1783 +--------------------------------+--------------------------------+--------------------------------+ 1784 | | | Network Security Services | 1785 | | | (NSS) 3.16.6 is a patch | 1786 | | | release for NSS 3.16. The bug | 1787 | | | fixes in NSS 3.16.6 are | 1788 | | | described in the "Bugs Fixed" | 1789 | | | section below. | 1790 +--------------------------------+--------------------------------+--------------------------------+ 1791 | | | | 1792 +--------------------------------+--------------------------------+--------------------------------+ 1793 | 68 | :ref:`mozilla_projec | | 1794 | | ts_nss_nss_3_17_release_notes` | | 1795 +--------------------------------+--------------------------------+--------------------------------+ 1796 | | | The NSS team has released | 1797 | | | Network Security Services | 1798 | | | (NSS) 3.17, which is a minor | 1799 | | | release. | 1800 +--------------------------------+--------------------------------+--------------------------------+ 1801 | | | | 1802 +--------------------------------+--------------------------------+--------------------------------+ 1803 | 69 | :ref:`mozilla_projects | **Reference, Security** | 1804 | | _nss_nss_3_17_1_release_notes` | | 1805 +--------------------------------+--------------------------------+--------------------------------+ 1806 | | | Network Security Services | 1807 | | | (NSS) 3.17.1 is a patch | 1808 | | | release for NSS 3.17. The bug | 1809 | | | fixes in NSS 3.17.1 are | 1810 | | | described in the "Bugs Fixed" | 1811 | | | section below. | 1812 +--------------------------------+--------------------------------+--------------------------------+ 1813 | | | | 1814 +--------------------------------+--------------------------------+--------------------------------+ 1815 | 70 | :ref:`mozilla_projects | | 1816 | | _nss_nss_3_17_2_release_notes` | | 1817 +--------------------------------+--------------------------------+--------------------------------+ 1818 | | | Network Security Services | 1819 | | | (NSS) 3.17.2 is a patch | 1820 | | | release for NSS 3.17. The bug | 1821 | | | fixes in NSS 3.17.2 are | 1822 | | | described in the "Bugs Fixed" | 1823 | | | section below. | 1824 +--------------------------------+--------------------------------+--------------------------------+ 1825 | | | | 1826 +--------------------------------+--------------------------------+--------------------------------+ 1827 | 71 | :ref:`mozilla_projects | **Guide, NSS, Security** | 1828 | | _nss_nss_3_17_3_release_notes` | | 1829 +--------------------------------+--------------------------------+--------------------------------+ 1830 | | | Network Security Services | 1831 | | | (NSS) 3.17.3 is a patch | 1832 | | | release for NSS 3.17. The bug | 1833 | | | fixes in NSS 3.17.3 are | 1834 | | | described in the "Bugs Fixed" | 1835 | | | section below. | 1836 +--------------------------------+--------------------------------+--------------------------------+ 1837 | | | | 1838 +--------------------------------+--------------------------------+--------------------------------+ 1839 | 72 | :ref:`mozilla_projects | **Guide, NSS, Security** | 1840 | | _nss_nss_3_17_4_release_notes` | | 1841 +--------------------------------+--------------------------------+--------------------------------+ 1842 | | | Network Security Services | 1843 | | | (NSS) 3.17.4 is a patch | 1844 | | | release for NSS 3.17. The bug | 1845 | | | fixes in NSS 3.17.4 are | 1846 | | | described in the "Bugs Fixed" | 1847 | | | section below. | 1848 +--------------------------------+--------------------------------+--------------------------------+ 1849 | | | | 1850 +--------------------------------+--------------------------------+--------------------------------+ 1851 | 73 | :ref:`mozilla_projec | **Guide, NSS, NeedsContent, | 1852 | | ts_nss_nss_3_18_release_notes` | Security** | 1853 +--------------------------------+--------------------------------+--------------------------------+ 1854 | | | The NSS team has released | 1855 | | | Network Security Services | 1856 | | | (NSS) 3.18, which is a minor | 1857 | | | release. | 1858 +--------------------------------+--------------------------------+--------------------------------+ 1859 | | | | 1860 +--------------------------------+--------------------------------+--------------------------------+ 1861 | 74 | :ref:`mozilla_projects | **Networking, Security** | 1862 | | _nss_nss_3_18_1_release_notes` | | 1863 +--------------------------------+--------------------------------+--------------------------------+ 1864 | | | Network Security Services | 1865 | | | (NSS) 3.18.1 is a patch | 1866 | | | release for NSS 3.18. The bug | 1867 | | | fixes in NSS 3.18.1 are | 1868 | | | described in the "Bugs Fixed" | 1869 | | | section below. | 1870 +--------------------------------+--------------------------------+--------------------------------+ 1871 | | | | 1872 +--------------------------------+--------------------------------+--------------------------------+ 1873 | 75 | :ref:`mozilla_projec | | 1874 | | ts_nss_nss_3_19_release_notes` | | 1875 +--------------------------------+--------------------------------+--------------------------------+ 1876 | | | The NSS team has released | 1877 | | | Network Security Services | 1878 | | | (NSS) 3.19, which is a minor | 1879 | | | security release. | 1880 +--------------------------------+--------------------------------+--------------------------------+ 1881 | | | | 1882 +--------------------------------+--------------------------------+--------------------------------+ 1883 | 76 | :ref:`mozilla_projects | | 1884 | | _nss_nss_3_19_1_release_notes` | | 1885 +--------------------------------+--------------------------------+--------------------------------+ 1886 | | | Network Security Services | 1887 | | | (NSS) 3.19.1 is a security | 1888 | | | release for NSS 3.19. The bug | 1889 | | | fixes in NSS 3.19.1 are | 1890 | | | described in the "Bugs Fixed" | 1891 | | | section below. | 1892 +--------------------------------+--------------------------------+--------------------------------+ 1893 | | | | 1894 +--------------------------------+--------------------------------+--------------------------------+ 1895 | 77 | :ref:`mozilla_projects | | 1896 | | _nss_nss_3_19_2_release_notes` | | 1897 +--------------------------------+--------------------------------+--------------------------------+ 1898 | | | Network Security Services | 1899 | | | (NSS) 3.19.2 is a patch | 1900 | | | release for NSS 3.19 that | 1901 | | | addresses compatibility issues | 1902 | | | in NSS 3.19.1. | 1903 +--------------------------------+--------------------------------+--------------------------------+ 1904 | | | | 1905 +--------------------------------+--------------------------------+--------------------------------+ 1906 | 78 | :ref:`mozilla_projects_n | | 1907 | | ss_nss_3_19_2_1_release_notes` | | 1908 +--------------------------------+--------------------------------+--------------------------------+ 1909 | | | Network Security Services | 1910 | | | (NSS) 3.19.2.1 is a patch | 1911 | | | release for NSS 3.19.2. The | 1912 | | | bug fixes in NSS 3.19.2.1 are | 1913 | | | described in the "Security | 1914 | | | Advisories" section below. | 1915 +--------------------------------+--------------------------------+--------------------------------+ 1916 | | | | 1917 +--------------------------------+--------------------------------+--------------------------------+ 1918 | 79 | :ref:`mozilla_projects_n | | 1919 | | ss_nss_3_19_2_2_release_notes` | | 1920 +--------------------------------+--------------------------------+--------------------------------+ 1921 | | | Network Security Services | 1922 | | | (NSS) 3.19.2.2 is a security | 1923 | | | patch release for NSS 3.19.2. | 1924 | | | The bug fixes in NSS 3.19.2.2 | 1925 | | | are described in the "Security | 1926 | | | Fixes" section below. | 1927 +--------------------------------+--------------------------------+--------------------------------+ 1928 | | | | 1929 +--------------------------------+--------------------------------+--------------------------------+ 1930 | 80 | :ref:`mozilla_projects_n | | 1931 | | ss_nss_3_19_2_3_release_notes` | | 1932 +--------------------------------+--------------------------------+--------------------------------+ 1933 | | | Network Security Services | 1934 | | | (NSS) 3.19.2.3 is a security | 1935 | | | patch release for NSS 3.19.2. | 1936 | | | The bug fixes in NSS 3.19.2.3 | 1937 | | | are described in the "Security | 1938 | | | Fixes" section below. | 1939 +--------------------------------+--------------------------------+--------------------------------+ 1940 | | | | 1941 +--------------------------------+--------------------------------+--------------------------------+ 1942 | 81 | :ref:`mozilla_projects_n | **NSS** | 1943 | | ss_nss_3_19_2_4_release_notes` | | 1944 +--------------------------------+--------------------------------+--------------------------------+ 1945 | | | Network Security Services | 1946 | | | (NSS) 3.19.2.4 is a security | 1947 | | | patch release for NSS 3.19.2. | 1948 | | | The bug fixed in NSS 3.19.2.4 | 1949 | | | have been described in the | 1950 | | | "Security Fixes" section | 1951 | | | below. | 1952 +--------------------------------+--------------------------------+--------------------------------+ 1953 | | | | 1954 +--------------------------------+--------------------------------+--------------------------------+ 1955 | 82 | :ref:`mozilla_projects | | 1956 | | _nss_nss_3_19_3_release_notes` | | 1957 +--------------------------------+--------------------------------+--------------------------------+ 1958 | | | Network Security Services | 1959 | | | (NSS) 3.19.3 is a patch | 1960 | | | release for NSS 3.19. The bug | 1961 | | | fixes in NSS 3.19.3 are | 1962 | | | described in the "Bugs Fixed" | 1963 | | | section below. | 1964 +--------------------------------+--------------------------------+--------------------------------+ 1965 | | | | 1966 +--------------------------------+--------------------------------+--------------------------------+ 1967 | 83 | :ref:`mozilla_projects | | 1968 | | _nss_nss_3_19_4_release_notes` | | 1969 +--------------------------------+--------------------------------+--------------------------------+ 1970 | | | Network Security Services | 1971 | | | (NSS) 3.19.4 is a patch | 1972 | | | release for NSS 3.19. The bug | 1973 | | | fixes in NSS 3.19.4 are | 1974 | | | described in the "Security | 1975 | | | Advisories" section below. | 1976 +--------------------------------+--------------------------------+--------------------------------+ 1977 | | | | 1978 +--------------------------------+--------------------------------+--------------------------------+ 1979 | 84 | :ref:`mozilla_projec | | 1980 | | ts_nss_nss_3_20_release_notes` | | 1981 +--------------------------------+--------------------------------+--------------------------------+ 1982 | | | The NSS team has released | 1983 | | | Network Security Services | 1984 | | | (NSS) 3.20, which is a minor | 1985 | | | release. | 1986 +--------------------------------+--------------------------------+--------------------------------+ 1987 | | | | 1988 +--------------------------------+--------------------------------+--------------------------------+ 1989 | 85 | :ref:`mozilla_projects | | 1990 | | _nss_nss_3_20_1_release_notes` | | 1991 +--------------------------------+--------------------------------+--------------------------------+ 1992 | | | Network Security Services | 1993 | | | (NSS) 3.20.1 is a patch | 1994 | | | release for NSS 3.20. The bug | 1995 | | | fixes in NSS 3.20.1 are | 1996 | | | described in the "Security | 1997 | | | Advisories" section below. | 1998 +--------------------------------+--------------------------------+--------------------------------+ 1999 | | | | 2000 +--------------------------------+--------------------------------+--------------------------------+ 2001 | 86 | :ref:`mozilla_projects | | 2002 | | _nss_nss_3_20_2_release_notes` | | 2003 +--------------------------------+--------------------------------+--------------------------------+ 2004 | | | Network Security Services | 2005 | | | (NSS) 3.20.2 is a security | 2006 | | | patch release for NSS 3.20. | 2007 | | | The bug fixes in NSS 3.20.2 | 2008 | | | are described in the "Security | 2009 | | | Fixes" section below. | 2010 +--------------------------------+--------------------------------+--------------------------------+ 2011 | | | | 2012 +--------------------------------+--------------------------------+--------------------------------+ 2013 | 87 | :ref:`mozilla_projec | | 2014 | | ts_nss_nss_3_21_release_notes` | | 2015 +--------------------------------+--------------------------------+--------------------------------+ 2016 | | | 2016-01-07, this page has been | 2017 | | | updated to include additional | 2018 | | | information about the release. | 2019 | | | The sections "Security Fixes" | 2020 | | | and "Acknowledgements" have | 2021 | | | been added. | 2022 +--------------------------------+--------------------------------+--------------------------------+ 2023 | | | | 2024 +--------------------------------+--------------------------------+--------------------------------+ 2025 | 88 | :ref:`mozilla_projects | | 2026 | | _nss_nss_3_21_1_release_notes` | | 2027 +--------------------------------+--------------------------------+--------------------------------+ 2028 | | | Network Security Services | 2029 | | | (NSS) 3.21.1 is a security | 2030 | | | patch release for NSS 3.21. | 2031 | | | The bug fixes in NSS 3.21.1 | 2032 | | | are described in the "Security | 2033 | | | Fixes" section below. | 2034 +--------------------------------+--------------------------------+--------------------------------+ 2035 | | | | 2036 +--------------------------------+--------------------------------+--------------------------------+ 2037 | 89 | :ref:`mozilla_projects | | 2038 | | _nss_nss_3_21_2_release_notes` | | 2039 +--------------------------------+--------------------------------+--------------------------------+ 2040 | | | Network Security Services | 2041 | | | (NSS) 3.21.2 is a security | 2042 | | | patch release for NSS 3.21.1. | 2043 | | | The bug fixes in NSS 3.21.2 | 2044 | | | are described in the "Security | 2045 | | | Fixes" section below. | 2046 +--------------------------------+--------------------------------+--------------------------------+ 2047 | | | | 2048 +--------------------------------+--------------------------------+--------------------------------+ 2049 | 90 | :ref:`mozilla_projects | | 2050 | | _nss_nss_3_21_3_release_notes` | | 2051 +--------------------------------+--------------------------------+--------------------------------+ 2052 | | | Network Security Services | 2053 | | | (NSS) 3.21.3 is a security | 2054 | | | patch release for NSS 3.21.2. | 2055 | | | The bug fixes in NSS 3.21.3 | 2056 | | | are described in the "Security | 2057 | | | Fixes" section below. | 2058 +--------------------------------+--------------------------------+--------------------------------+ 2059 | | | | 2060 +--------------------------------+--------------------------------+--------------------------------+ 2061 | 91 | :ref:`mozilla_projects | | 2062 | | _nss_nss_3_21_4_release_notes` | | 2063 +--------------------------------+--------------------------------+--------------------------------+ 2064 | | | Network Security Services | 2065 | | | (NSS) 3.21.4 is a security | 2066 | | | patch release for NSS 3.21. | 2067 | | | The bug fixes in NSS 3.21.4 | 2068 | | | are described in the "Bugs | 2069 | | | Fixed" section below. | 2070 +--------------------------------+--------------------------------+--------------------------------+ 2071 | | | | 2072 +--------------------------------+--------------------------------+--------------------------------+ 2073 | 92 | :ref:`mozilla_projec | | 2074 | | ts_nss_nss_3_22_release_notes` | | 2075 +--------------------------------+--------------------------------+--------------------------------+ 2076 | | | The NSS team has released | 2077 | | | Network Security Services | 2078 | | | (NSS) 3.22, which is a minor | 2079 | | | release. | 2080 +--------------------------------+--------------------------------+--------------------------------+ 2081 | | | | 2082 +--------------------------------+--------------------------------+--------------------------------+ 2083 | 93 | :ref:`mozilla_projects | | 2084 | | _nss_nss_3_22_1_release_notes` | | 2085 +--------------------------------+--------------------------------+--------------------------------+ 2086 | | | Network Security Services | 2087 | | | (NSS) 3.22.1 is a patch | 2088 | | | release for NSS 3.22. The bug | 2089 | | | fixes in NSS 3.22.1 are | 2090 | | | described in the "Notable | 2091 | | | Changes" section below. | 2092 +--------------------------------+--------------------------------+--------------------------------+ 2093 | | | | 2094 +--------------------------------+--------------------------------+--------------------------------+ 2095 | 94 | :ref:`mozilla_projects | | 2096 | | _nss_nss_3_22_2_release_notes` | | 2097 +--------------------------------+--------------------------------+--------------------------------+ 2098 | | | Network Security Services | 2099 | | | (NSS) 3.22.2 is a security | 2100 | | | patch release for NSS 3.22. | 2101 | | | The bug fixes in NSS 3.22.2 | 2102 | | | are described in the "Security | 2103 | | | Fixes" section below. | 2104 +--------------------------------+--------------------------------+--------------------------------+ 2105 | | | | 2106 +--------------------------------+--------------------------------+--------------------------------+ 2107 | 95 | :ref:`mozilla_projects | | 2108 | | _nss_nss_3_22_3_release_notes` | | 2109 +--------------------------------+--------------------------------+--------------------------------+ 2110 | | | Network Security Services | 2111 | | | (NSS) 3.22.3 is a patch | 2112 | | | release for NSS 3.22. The bug | 2113 | | | fixes in NSS 3.22.3 are | 2114 | | | described in the "Bugs fixed" | 2115 | | | section below. | 2116 +--------------------------------+--------------------------------+--------------------------------+ 2117 | | | | 2118 +--------------------------------+--------------------------------+--------------------------------+ 2119 | 96 | :ref:`mozilla_projec | **Networking, Security** | 2120 | | ts_nss_nss_3_23_release_notes` | | 2121 +--------------------------------+--------------------------------+--------------------------------+ 2122 | | | The NSS team has released | 2123 | | | Network Security Services | 2124 | | | (NSS) 3.23, which is a minor | 2125 | | | release. | 2126 +--------------------------------+--------------------------------+--------------------------------+ 2127 | | | | 2128 +--------------------------------+--------------------------------+--------------------------------+ 2129 | 97 | :ref:`mozilla_projec | **NSS, Release Notes** | 2130 | | ts_nss_nss_3_24_release_notes` | | 2131 +--------------------------------+--------------------------------+--------------------------------+ 2132 | | | The Network Security Services | 2133 | | | (NSS) team has released NSS | 2134 | | | 3.24, which is a minor | 2135 | | | release. | 2136 +--------------------------------+--------------------------------+--------------------------------+ 2137 | | | | 2138 +--------------------------------+--------------------------------+--------------------------------+ 2139 | 98 | :ref:`mozilla_projec | **NSS, Release Notes** | 2140 | | ts_nss_nss_3_25_release_notes` | | 2141 +--------------------------------+--------------------------------+--------------------------------+ 2142 | | | The Network Security Services | 2143 | | | (NSS) team has released NSS | 2144 | | | 3.25, which is a minor | 2145 | | | release. | 2146 +--------------------------------+--------------------------------+--------------------------------+ 2147 | | | | 2148 +--------------------------------+--------------------------------+--------------------------------+ 2149 | 99 | :ref:`mozilla_projects | | 2150 | | _nss_nss_3_25_1_release_notes` | | 2151 +--------------------------------+--------------------------------+--------------------------------+ 2152 | | | Network Security Services | 2153 | | | (NSS) 3.25.1 is a patch | 2154 | | | release for NSS 3.25. | 2155 +--------------------------------+--------------------------------+--------------------------------+ 2156 | | | | 2157 +--------------------------------+--------------------------------+--------------------------------+ 2158 | 100 | :ref:`mozilla_projec | **NSS, Release Notes** | 2159 | | ts_nss_nss_3_26_release_notes` | | 2160 +--------------------------------+--------------------------------+--------------------------------+ 2161 | | | The Network Security Services | 2162 | | | (NSS) team has released NSS | 2163 | | | 3.26, which is a minor | 2164 | | | release. | 2165 +--------------------------------+--------------------------------+--------------------------------+ 2166 | | | | 2167 +--------------------------------+--------------------------------+--------------------------------+ 2168 | 101 | :ref:`mozilla_projects | | 2169 | | _nss_nss_3_26_2_release_notes` | | 2170 +--------------------------------+--------------------------------+--------------------------------+ 2171 | | | Network Security Services | 2172 | | | (NSS) 3.26.2 is a patch | 2173 | | | release for NSS 3.26. | 2174 +--------------------------------+--------------------------------+--------------------------------+ 2175 | | | | 2176 +--------------------------------+--------------------------------+--------------------------------+ 2177 | 102 | :ref:`mozilla_projec | | 2178 | | ts_nss_nss_3_27_release_notes` | | 2179 +--------------------------------+--------------------------------+--------------------------------+ 2180 | | | The Network Security Services | 2181 | | | (NSS) team has released NSS | 2182 | | | 3.27, which is a minor | 2183 | | | release. | 2184 +--------------------------------+--------------------------------+--------------------------------+ 2185 | | | | 2186 +--------------------------------+--------------------------------+--------------------------------+ 2187 | 103 | :ref:`mozilla_projects | | 2188 | | _nss_nss_3_27_1_release_notes` | | 2189 +--------------------------------+--------------------------------+--------------------------------+ 2190 | | | Network Security Services | 2191 | | | (NSS) 3.27.1 is a patch | 2192 | | | release for NSS 3.27. | 2193 +--------------------------------+--------------------------------+--------------------------------+ 2194 | | | | 2195 +--------------------------------+--------------------------------+--------------------------------+ 2196 | 104 | :ref:`mozilla_projects | | 2197 | | _nss_nss_3_27_2_release_notes` | | 2198 +--------------------------------+--------------------------------+--------------------------------+ 2199 | | | Network Security Services | 2200 | | | (NSS) 3.27.2 is a patch | 2201 | | | release for NSS 3.27. | 2202 +--------------------------------+--------------------------------+--------------------------------+ 2203 | | | | 2204 +--------------------------------+--------------------------------+--------------------------------+ 2205 | 105 | :ref:`mozilla_projec | | 2206 | | ts_nss_nss_3_28_release_notes` | | 2207 +--------------------------------+--------------------------------+--------------------------------+ 2208 | | | The Network Security Services | 2209 | | | (NSS) team has released NSS | 2210 | | | 3.28, which is a minor | 2211 | | | release. | 2212 +--------------------------------+--------------------------------+--------------------------------+ 2213 | | | | 2214 +--------------------------------+--------------------------------+--------------------------------+ 2215 | 106 | :ref:`mozilla_projects | | 2216 | | _nss_nss_3_28_1_release_notes` | | 2217 +--------------------------------+--------------------------------+--------------------------------+ 2218 | | | Network Security Services | 2219 | | | (NSS) 3.28.1 is a patch | 2220 | | | release for NSS 3.28. The bug | 2221 | | | fixes in NSS 3.28.1 are | 2222 | | | described in the "Bugs Fixed" | 2223 | | | section below. | 2224 +--------------------------------+--------------------------------+--------------------------------+ 2225 | | | | 2226 +--------------------------------+--------------------------------+--------------------------------+ 2227 | 107 | :ref:`mozilla_projects | | 2228 | | _nss_nss_3_28_2_release_notes` | | 2229 +--------------------------------+--------------------------------+--------------------------------+ 2230 | | | Network Security Services | 2231 | | | (NSS) 3.28.2 is a patch | 2232 | | | release for NSS 3.28. | 2233 +--------------------------------+--------------------------------+--------------------------------+ 2234 | | | | 2235 +--------------------------------+--------------------------------+--------------------------------+ 2236 | 108 | :ref:`mozilla_projects | | 2237 | | _nss_nss_3_28_3_release_notes` | | 2238 +--------------------------------+--------------------------------+--------------------------------+ 2239 | | | Network Security Services | 2240 | | | (NSS) 3.28.3 is a patch | 2241 | | | release for NSS 3.28. The bug | 2242 | | | fixes in NSS 3.28.3 are | 2243 | | | described in the "Bugs Fixed" | 2244 | | | section below. | 2245 +--------------------------------+--------------------------------+--------------------------------+ 2246 | | | | 2247 +--------------------------------+--------------------------------+--------------------------------+ 2248 | 109 | :ref:`mozilla_projects | | 2249 | | _nss_nss_3_28_4_release_notes` | | 2250 +--------------------------------+--------------------------------+--------------------------------+ 2251 | | | Network Security Services | 2252 | | | (NSS) 3.28.4 is a security | 2253 | | | patch release for NSS 3.28. | 2254 | | | The bug fixes in NSS 3.28.4 | 2255 | | | are described in the "Bugs | 2256 | | | Fixed" section below. | 2257 +--------------------------------+--------------------------------+--------------------------------+ 2258 | | | | 2259 +--------------------------------+--------------------------------+--------------------------------+ 2260 | 110 | :ref:`mozilla_projects | | 2261 | | _nss_nss_3_28_5_release_notes` | | 2262 +--------------------------------+--------------------------------+--------------------------------+ 2263 | | | Network Security Services | 2264 | | | (NSS) 3.28.5 is a patch | 2265 | | | release for NSS 3.28. The bug | 2266 | | | fixes in NSS 3.28.5 are | 2267 | | | described in the "Bugs Fixed" | 2268 | | | section below. | 2269 +--------------------------------+--------------------------------+--------------------------------+ 2270 | | | | 2271 +--------------------------------+--------------------------------+--------------------------------+ 2272 | 111 | :ref:`mozilla_projec | | 2273 | | ts_nss_nss_3_29_release_notes` | | 2274 +--------------------------------+--------------------------------+--------------------------------+ 2275 | | | The Network Security Services | 2276 | | | (NSS) team has released NSS | 2277 | | | 3.29, which is a minor | 2278 | | | release. | 2279 +--------------------------------+--------------------------------+--------------------------------+ 2280 | | | | 2281 +--------------------------------+--------------------------------+--------------------------------+ 2282 | 112 | :ref:`mozilla_projects | | 2283 | | _nss_nss_3_29_1_release_notes` | | 2284 +--------------------------------+--------------------------------+--------------------------------+ 2285 | | | Network Security Services | 2286 | | | (NSS) 3.29.1 is a patch | 2287 | | | release for NSS 3.29. The bug | 2288 | | | fixes in NSS 3.29.1 are | 2289 | | | described in the "Bugs Fixed" | 2290 | | | section below. | 2291 +--------------------------------+--------------------------------+--------------------------------+ 2292 | | | | 2293 +--------------------------------+--------------------------------+--------------------------------+ 2294 | 113 | :ref:`mozilla_projects | | 2295 | | _nss_nss_3_29_2_release_notes` | | 2296 +--------------------------------+--------------------------------+--------------------------------+ 2297 | | | Network Security Services | 2298 | | | (NSS) 3.29.2 is a patch | 2299 | | | release for NSS 3.29. The bug | 2300 | | | fixes in NSS 3.29.2 are | 2301 | | | described in the "Bugs Fixed" | 2302 | | | section below. | 2303 +--------------------------------+--------------------------------+--------------------------------+ 2304 | | | | 2305 +--------------------------------+--------------------------------+--------------------------------+ 2306 | 114 | :ref:`mozilla_projects | | 2307 | | _nss_nss_3_29_3_release_notes` | | 2308 +--------------------------------+--------------------------------+--------------------------------+ 2309 | | | Network Security Services | 2310 | | | (NSS) 3.29.3 is a patch | 2311 | | | release for NSS 3.29. The bug | 2312 | | | fixes in NSS 3.29.3 are | 2313 | | | described in the "Bugs Fixed" | 2314 | | | section below. | 2315 +--------------------------------+--------------------------------+--------------------------------+ 2316 | | | | 2317 +--------------------------------+--------------------------------+--------------------------------+ 2318 | 115 | :ref:`mozilla_projects | | 2319 | | _nss_nss_3_29_5_release_notes` | | 2320 +--------------------------------+--------------------------------+--------------------------------+ 2321 | | | Network Security Services | 2322 | | | (NSS) 3.29.5 is a security | 2323 | | | patch release for NSS 3.29. | 2324 | | | The bug fixes in NSS 3.29.5 | 2325 | | | are described in the "Bugs | 2326 | | | Fixed" section below. | 2327 +--------------------------------+--------------------------------+--------------------------------+ 2328 | | | | 2329 +--------------------------------+--------------------------------+--------------------------------+ 2330 | 116 | :ref:`mozilla_projec | | 2331 | | ts_nss_nss_3_30_release_notes` | | 2332 +--------------------------------+--------------------------------+--------------------------------+ 2333 | | | The Network Security Services | 2334 | | | (NSS) team has released NSS | 2335 | | | 3.30, which is a minor | 2336 | | | release. | 2337 +--------------------------------+--------------------------------+--------------------------------+ 2338 | | | | 2339 +--------------------------------+--------------------------------+--------------------------------+ 2340 | 117 | :ref:`mozilla_projects | | 2341 | | _nss_nss_3_30_1_release_notes` | | 2342 +--------------------------------+--------------------------------+--------------------------------+ 2343 | | | Network Security Services | 2344 | | | (NSS) 3.30.1 is a security | 2345 | | | patch release for NSS 3.30. | 2346 | | | The bug fixes in NSS 3.30.1 | 2347 | | | are described in the "Bugs | 2348 | | | Fixed" section below. | 2349 +--------------------------------+--------------------------------+--------------------------------+ 2350 | | | | 2351 +--------------------------------+--------------------------------+--------------------------------+ 2352 | 118 | :ref:`mozilla_projects | | 2353 | | _nss_nss_3_30_2_release_notes` | | 2354 +--------------------------------+--------------------------------+--------------------------------+ 2355 | | | Network Security Services | 2356 | | | (NSS) 3.30.2 is a patch | 2357 | | | release for NSS 3.30. The bug | 2358 | | | fixes in NSS 3.30.2 are | 2359 | | | described in the "Bugs Fixed" | 2360 | | | section below. | 2361 +--------------------------------+--------------------------------+--------------------------------+ 2362 | | | | 2363 +--------------------------------+--------------------------------+--------------------------------+ 2364 | 119 | :ref:`mozilla_projec | | 2365 | | ts_nss_nss_3_31_release_notes` | | 2366 +--------------------------------+--------------------------------+--------------------------------+ 2367 | | | The Network Security Services | 2368 | | | (NSS) team has released NSS | 2369 | | | 3.31, which is a minor | 2370 | | | release. | 2371 +--------------------------------+--------------------------------+--------------------------------+ 2372 | | | | 2373 +--------------------------------+--------------------------------+--------------------------------+ 2374 | 120 | :ref:`mozilla_projects | | 2375 | | _nss_nss_3_31_1_release_notes` | | 2376 +--------------------------------+--------------------------------+--------------------------------+ 2377 | | | The Network Security Services | 2378 | | | (NSS) team has released NSS | 2379 | | | 3.31.1, which is a patch | 2380 | | | release for NSS 3.31. | 2381 +--------------------------------+--------------------------------+--------------------------------+ 2382 | | | | 2383 +--------------------------------+--------------------------------+--------------------------------+ 2384 | 121 | :ref:`mozilla_projec | | 2385 | | ts_nss_nss_3_32_release_notes` | | 2386 +--------------------------------+--------------------------------+--------------------------------+ 2387 | | | The Network Security Services | 2388 | | | (NSS) team has released NSS | 2389 | | | 3.32, which is a minor | 2390 | | | release. | 2391 +--------------------------------+--------------------------------+--------------------------------+ 2392 | | | | 2393 +--------------------------------+--------------------------------+--------------------------------+ 2394 | 122 | :ref:`mozilla_projec | | 2395 | | ts_nss_nss_3_33_release_notes` | | 2396 +--------------------------------+--------------------------------+--------------------------------+ 2397 | | | The Network Security Services | 2398 | | | (NSS) team has released NSS | 2399 | | | 3.33, which is a minor | 2400 | | | release. | 2401 +--------------------------------+--------------------------------+--------------------------------+ 2402 | | | | 2403 +--------------------------------+--------------------------------+--------------------------------+ 2404 | 123 | :ref:`mozilla_projec | | 2405 | | ts_nss_nss_3_34_release_notes` | | 2406 +--------------------------------+--------------------------------+--------------------------------+ 2407 | | | The Network Security Services | 2408 | | | (NSS) team has released NSS | 2409 | | | 3.34, which is a minor | 2410 | | | release. | 2411 +--------------------------------+--------------------------------+--------------------------------+ 2412 | | | | 2413 +--------------------------------+--------------------------------+--------------------------------+ 2414 | 124 | :ref:`mozilla_projects | | 2415 | | _nss_nss_3_34_1_release_notes` | | 2416 +--------------------------------+--------------------------------+--------------------------------+ 2417 | | | The Network Security Services | 2418 | | | (NSS) team has released NSS | 2419 | | | 3.34.1, which is a minor | 2420 | | | release. | 2421 +--------------------------------+--------------------------------+--------------------------------+ 2422 | | | | 2423 +--------------------------------+--------------------------------+--------------------------------+ 2424 | 125 | :ref:`mozilla_projec | | 2425 | | ts_nss_nss_3_35_release_notes` | | 2426 +--------------------------------+--------------------------------+--------------------------------+ 2427 | | | The NSS team has released | 2428 | | | Network Security Services | 2429 | | | (NSS) 3.35, which is a minor | 2430 | | | release. | 2431 +--------------------------------+--------------------------------+--------------------------------+ 2432 | | | | 2433 +--------------------------------+--------------------------------+--------------------------------+ 2434 | 126 | :ref:`mozilla_projec | | 2435 | | ts_nss_nss_3_36_release_notes` | | 2436 +--------------------------------+--------------------------------+--------------------------------+ 2437 | | | The NSS team has released | 2438 | | | Network Security Services | 2439 | | | (NSS) 3.36, which is a minor | 2440 | | | release. | 2441 +--------------------------------+--------------------------------+--------------------------------+ 2442 | | | | 2443 +--------------------------------+--------------------------------+--------------------------------+ 2444 | 127 | :ref:`mozilla_projects | | 2445 | | _nss_nss_3_36_1_release_notes` | | 2446 +--------------------------------+--------------------------------+--------------------------------+ 2447 | | | Network Security Services | 2448 | | | (NSS) 3.36.1 is a patch | 2449 | | | release for NSS 3.36. | 2450 +--------------------------------+--------------------------------+--------------------------------+ 2451 | | | | 2452 +--------------------------------+--------------------------------+--------------------------------+ 2453 | 128 | :ref:`mozilla_projects | **NSS, Release Notes** | 2454 | | _nss_nss_3_36_2_release_notes` | | 2455 +--------------------------------+--------------------------------+--------------------------------+ 2456 | | | Network Security Services | 2457 | | | (NSS) 3.36.2 is a patch | 2458 | | | release for NSS 3.36. | 2459 +--------------------------------+--------------------------------+--------------------------------+ 2460 | | | | 2461 +--------------------------------+--------------------------------+--------------------------------+ 2462 | 129 | :ref:`mozilla_projects | **NSS, Release Notes** | 2463 | | _nss_nss_3_36_4_release_notes` | | 2464 +--------------------------------+--------------------------------+--------------------------------+ 2465 | | | Network Security Services | 2466 | | | (NSS) 3.36.4 is a patch | 2467 | | | release for NSS 3.36. | 2468 +--------------------------------+--------------------------------+--------------------------------+ 2469 | | | | 2470 +--------------------------------+--------------------------------+--------------------------------+ 2471 | 130 | :ref:`mozilla_projects | **Mozilla, NSS, Release | 2472 | | _nss_nss_3_36_5_release_notes` | Notes** | 2473 +--------------------------------+--------------------------------+--------------------------------+ 2474 | | | Network Security Services | 2475 | | | (NSS) 3.36.5 is a patch | 2476 | | | release for NSS 3.36. The bug | 2477 | | | fixes in NSS 3.36.5 are | 2478 | | | described in the "Bugs Fixed" | 2479 | | | section below. | 2480 +--------------------------------+--------------------------------+--------------------------------+ 2481 | | | | 2482 +--------------------------------+--------------------------------+--------------------------------+ 2483 | 131 | :ref:`mozilla_projects | **Mozilla, NSS, Release | 2484 | | _nss_nss_3_36_6_release_notes` | Notes** | 2485 +--------------------------------+--------------------------------+--------------------------------+ 2486 | | | Network Security Services | 2487 | | | (NSS) 3.36.6 is a patch | 2488 | | | release for NSS 3.36. The bug | 2489 | | | fixes in NSS 3.36.6 are | 2490 | | | described in the "Bugs Fixed" | 2491 | | | section below. | 2492 +--------------------------------+--------------------------------+--------------------------------+ 2493 | | | | 2494 +--------------------------------+--------------------------------+--------------------------------+ 2495 | 132 | :ref:`mozilla_projects | | 2496 | | _nss_nss_3_36_7_release_notes` | | 2497 +--------------------------------+--------------------------------+--------------------------------+ 2498 | | | Network Security Services | 2499 | | | (NSS) 3.36.7 is a patch | 2500 | | | release for NSS 3.36. The bug | 2501 | | | fixes in NSS 3.36.7 are | 2502 | | | described in the "Bugs Fixed" | 2503 | | | section below. It was released | 2504 | | | on 19 January 2019. | 2505 +--------------------------------+--------------------------------+--------------------------------+ 2506 | | | | 2507 +--------------------------------+--------------------------------+--------------------------------+ 2508 | 133 | :ref:`mozilla_projects | | 2509 | | _nss_nss_3_36_8_release_notes` | | 2510 +--------------------------------+--------------------------------+--------------------------------+ 2511 | | | Network Security Services | 2512 | | | (NSS) 3.36.8 is a patch | 2513 | | | release for NSS 3.36. The bug | 2514 | | | fixes in NSS 3.36.8 are | 2515 | | | described in the "Bugs Fixed" | 2516 | | | section below. It was released | 2517 | | | on 21 June 2019. | 2518 +--------------------------------+--------------------------------+--------------------------------+ 2519 | | | | 2520 +--------------------------------+--------------------------------+--------------------------------+ 2521 | 134 | :ref:`mozilla_projec | | 2522 | | ts_nss_nss_3_37_release_notes` | | 2523 +--------------------------------+--------------------------------+--------------------------------+ 2524 | | | The NSS team has released | 2525 | | | Network Security Services | 2526 | | | (NSS) 3.37, which is a minor | 2527 | | | release. | 2528 +--------------------------------+--------------------------------+--------------------------------+ 2529 | | | | 2530 +--------------------------------+--------------------------------+--------------------------------+ 2531 | 135 | :ref:`mozilla_projects | | 2532 | | _nss_nss_3_37_1_release_notes` | | 2533 +--------------------------------+--------------------------------+--------------------------------+ 2534 | | | Network Security Services | 2535 | | | (NSS) 3.37.1 is a patch | 2536 | | | release for NSS 3.37. | 2537 +--------------------------------+--------------------------------+--------------------------------+ 2538 | | | | 2539 +--------------------------------+--------------------------------+--------------------------------+ 2540 | 136 | :ref:`mozilla_project | | 2541 | | s_nss_nss_3_37_3release_notes` | | 2542 +--------------------------------+--------------------------------+--------------------------------+ 2543 | | | Network Security Services | 2544 | | | (NSS) 3.37.3 is a patch | 2545 | | | release for NSS 3.37. | 2546 +--------------------------------+--------------------------------+--------------------------------+ 2547 | | | | 2548 +--------------------------------+--------------------------------+--------------------------------+ 2549 | 137 | :ref:`mozilla_projec | **Mozilla, NSS, Release | 2550 | | ts_nss_nss_3_38_release_notes` | Notes** | 2551 +--------------------------------+--------------------------------+--------------------------------+ 2552 | | | The NSS team has released | 2553 | | | Network Security Services | 2554 | | | (NSS) 3.38, which is a minor | 2555 | | | release. | 2556 +--------------------------------+--------------------------------+--------------------------------+ 2557 | | | | 2558 +--------------------------------+--------------------------------+--------------------------------+ 2559 | 138 | :ref:`mozilla_projec | | 2560 | | ts_nss_nss_3_39_release_notes` | | 2561 +--------------------------------+--------------------------------+--------------------------------+ 2562 | | | The NSS team has released | 2563 | | | Network Security Services | 2564 | | | (NSS) 3.39, which is a minor | 2565 | | | release. | 2566 +--------------------------------+--------------------------------+--------------------------------+ 2567 | | | | 2568 +--------------------------------+--------------------------------+--------------------------------+ 2569 | 139 | :ref:`mozilla_projec | | 2570 | | ts_nss_nss_3_40_release_notes` | | 2571 +--------------------------------+--------------------------------+--------------------------------+ 2572 | | | The NSS team has released | 2573 | | | Network Security Services | 2574 | | | (NSS) 3.40, which is a minor | 2575 | | | release. | 2576 +--------------------------------+--------------------------------+--------------------------------+ 2577 | | | | 2578 +--------------------------------+--------------------------------+--------------------------------+ 2579 | 140 | :ref:`mozilla_projects | | 2580 | | _nss_nss_3_40_1_release_notes` | | 2581 +--------------------------------+--------------------------------+--------------------------------+ 2582 | | | The NSS team has released | 2583 | | | Network Security Services | 2584 | | | (NSS) 3.40.1, which is a patch | 2585 | | | release for NSS 3.40 | 2586 +--------------------------------+--------------------------------+--------------------------------+ 2587 | | | | 2588 +--------------------------------+--------------------------------+--------------------------------+ 2589 | 141 | :ref:`mozilla_projec | | 2590 | | ts_nss_nss_3_41_release_notes` | | 2591 +--------------------------------+--------------------------------+--------------------------------+ 2592 | | | The NSS team has released | 2593 | | | Network Security Services | 2594 | | | (NSS) 3.41 on 7 December 2018, | 2595 | | | which is a minor release. | 2596 +--------------------------------+--------------------------------+--------------------------------+ 2597 | | | | 2598 +--------------------------------+--------------------------------+--------------------------------+ 2599 | 142 | :ref:`mozilla_projects | | 2600 | | _nss_nss_3_41_1_release_notes` | | 2601 +--------------------------------+--------------------------------+--------------------------------+ 2602 | | | Network Security Services | 2603 | | | (NSS) 3.41.1 is a patch | 2604 | | | release for NSS 3.41. The bug | 2605 | | | fixes in NSS 3.41.1 are | 2606 | | | described in the "Bugs Fixed" | 2607 | | | section below. It was released | 2608 | | | on 22 January 2019. | 2609 +--------------------------------+--------------------------------+--------------------------------+ 2610 | | | | 2611 +--------------------------------+--------------------------------+--------------------------------+ 2612 | 143 | :ref:`mozilla_projec | | 2613 | | ts_nss_nss_3_42_release_notes` | | 2614 +--------------------------------+--------------------------------+--------------------------------+ 2615 | | | The NSS team has released | 2616 | | | Network Security Services | 2617 | | | (NSS) 3.42 on 25 January 2019, | 2618 | | | which is a minor release. | 2619 +--------------------------------+--------------------------------+--------------------------------+ 2620 | | | | 2621 +--------------------------------+--------------------------------+--------------------------------+ 2622 | 144 | :ref:`mozilla_projects | | 2623 | | _nss_nss_3_42_1_release_notes` | | 2624 +--------------------------------+--------------------------------+--------------------------------+ 2625 | | | The NSS team has released | 2626 | | | Network Security Services | 2627 | | | (NSS) 3.42.1 on 31 January | 2628 | | | 2019, which is a patch | 2629 | | | release. | 2630 +--------------------------------+--------------------------------+--------------------------------+ 2631 | | | | 2632 +--------------------------------+--------------------------------+--------------------------------+ 2633 | 145 | :ref:`mozilla_projec | | 2634 | | ts_nss_nss_3_43_release_notes` | | 2635 +--------------------------------+--------------------------------+--------------------------------+ 2636 | | | The NSS team has released | 2637 | | | Network Security Services | 2638 | | | (NSS) 3.43 on 16 March 2019, | 2639 | | | which is a minor release. | 2640 +--------------------------------+--------------------------------+--------------------------------+ 2641 | | | | 2642 +--------------------------------+--------------------------------+--------------------------------+ 2643 | 146 | :ref:`mozilla_projec | | 2644 | | ts_nss_nss_3_44_release_notes` | | 2645 +--------------------------------+--------------------------------+--------------------------------+ 2646 | | | The NSS team has released | 2647 | | | Network Security Services | 2648 | | | (NSS) 3.44 on 10 May 2019, | 2649 | | | which is a minor release. | 2650 +--------------------------------+--------------------------------+--------------------------------+ 2651 | | | | 2652 +--------------------------------+--------------------------------+--------------------------------+ 2653 | 147 | :ref:`mozilla_projects | | 2654 | | _nss_nss_3_44_1_release_notes` | | 2655 +--------------------------------+--------------------------------+--------------------------------+ 2656 | | | Network Security Services | 2657 | | | (NSS) 3.44.1 is a patch | 2658 | | | release for NSS 3.44. The bug | 2659 | | | fixes in NSS 3.44.1 are | 2660 | | | described in the "Bugs Fixed" | 2661 | | | section below. It was released | 2662 | | | on 21 June 2019. | 2663 +--------------------------------+--------------------------------+--------------------------------+ 2664 | | | | 2665 +--------------------------------+--------------------------------+--------------------------------+ 2666 | 148 | :ref:`mozilla_projects | | 2667 | | _nss_nss_3_44_2_release_notes` | | 2668 +--------------------------------+--------------------------------+--------------------------------+ 2669 | | | Network Security Services | 2670 | | | (NSS) 3.44.2 is a patch | 2671 | | | release for NSS 3.44. The bug | 2672 | | | fixes in NSS 3.44.2 are | 2673 | | | described in the "Bugs Fixed" | 2674 | | | section below. It was released | 2675 | | | on 2 October 2019. | 2676 +--------------------------------+--------------------------------+--------------------------------+ 2677 | | | | 2678 +--------------------------------+--------------------------------+--------------------------------+ 2679 | 149 | :ref:`mozilla_projects | | 2680 | | _nss_nss_3_44_3_release_notes` | | 2681 +--------------------------------+--------------------------------+--------------------------------+ 2682 | | | Network Security Services | 2683 | | | (NSS) 3.44.3 is a patch | 2684 | | | release for NSS 3.44. The bug | 2685 | | | fixes in NSS 3.44.3 are | 2686 | | | described in the "Bugs Fixed" | 2687 | | | section below. It was released | 2688 | | | on 19 November 2019. | 2689 +--------------------------------+--------------------------------+--------------------------------+ 2690 | | | | 2691 +--------------------------------+--------------------------------+--------------------------------+ 2692 | 150 | :ref:`mozilla_projects | | 2693 | | _nss_nss_3_44_4_release_notes` | | 2694 +--------------------------------+--------------------------------+--------------------------------+ 2695 | | | The NSS team has released | 2696 | | | Network Security Services | 2697 | | | (NSS) 3.44.4 on **19 May | 2698 | | | 2020**. This is a security | 2699 | | | patch release. | 2700 +--------------------------------+--------------------------------+--------------------------------+ 2701 | | | | 2702 +--------------------------------+--------------------------------+--------------------------------+ 2703 | 151 | :ref:`mozilla_projec | | 2704 | | ts_nss_nss_3_45_release_notes` | | 2705 +--------------------------------+--------------------------------+--------------------------------+ 2706 | | | The NSS team has released | 2707 | | | Network Security Services | 2708 | | | (NSS) 3.45 on **5 July 2019**, | 2709 | | | which is a minor release. | 2710 +--------------------------------+--------------------------------+--------------------------------+ 2711 | | | | 2712 +--------------------------------+--------------------------------+--------------------------------+ 2713 | 152 | :ref:`mozilla_projec | | 2714 | | ts_nss_nss_3_46_release_notes` | | 2715 +--------------------------------+--------------------------------+--------------------------------+ 2716 | | | The NSS team has released | 2717 | | | Network Security Services | 2718 | | | (NSS) 3.46 on **30 August | 2719 | | | 2019**, which is a minor | 2720 | | | release. | 2721 +--------------------------------+--------------------------------+--------------------------------+ 2722 | | | | 2723 +--------------------------------+--------------------------------+--------------------------------+ 2724 | 153 | :ref:`mozilla_projects | | 2725 | | _nss_nss_3_46_1_release_notes` | | 2726 +--------------------------------+--------------------------------+--------------------------------+ 2727 | | | Network Security Services | 2728 | | | (NSS) 3.46.1 is a patch | 2729 | | | release for NSS 3.46. The bug | 2730 | | | fixes in NSS 3.46.1 are | 2731 | | | described in the "Bugs Fixed" | 2732 | | | section below. It was released | 2733 | | | on 2 October 2019. | 2734 +--------------------------------+--------------------------------+--------------------------------+ 2735 | | | | 2736 +--------------------------------+--------------------------------+--------------------------------+ 2737 | 154 | :ref:`mozilla_projec | | 2738 | | ts_nss_nss_3_47_release_notes` | | 2739 +--------------------------------+--------------------------------+--------------------------------+ 2740 | | | The NSS team has released | 2741 | | | Network Security Services | 2742 | | | (NSS) 3.47 on **18 October | 2743 | | | 2019**, which is a minor | 2744 | | | release. | 2745 +--------------------------------+--------------------------------+--------------------------------+ 2746 | | | | 2747 +--------------------------------+--------------------------------+--------------------------------+ 2748 | 155 | :ref:`mozilla_projects | | 2749 | | _nss_nss_3_47_1_release_notes` | | 2750 +--------------------------------+--------------------------------+--------------------------------+ 2751 | | | Network Security Services | 2752 | | | (NSS) 3.47.1 is a patch | 2753 | | | release for NSS 3.47. The bug | 2754 | | | fixes in NSS 3.47.1 are | 2755 | | | described in the "Bugs Fixed" | 2756 | | | section below. It was released | 2757 | | | on 19 November 2019. | 2758 +--------------------------------+--------------------------------+--------------------------------+ 2759 | | | | 2760 +--------------------------------+--------------------------------+--------------------------------+ 2761 | 156 | :ref:`mozilla_projec | | 2762 | | ts_nss_nss_3_48_release_notes` | | 2763 +--------------------------------+--------------------------------+--------------------------------+ 2764 | | | The NSS team has released | 2765 | | | Network Security Services | 2766 | | | (NSS) 3.48 on **5 December | 2767 | | | 2019**, which is a minor | 2768 | | | release. | 2769 +--------------------------------+--------------------------------+--------------------------------+ 2770 | | | | 2771 +--------------------------------+--------------------------------+--------------------------------+ 2772 | 157 | :ref:`mozilla_projects | | 2773 | | _nss_nss_3_48_1_release_notes` | | 2774 +--------------------------------+--------------------------------+--------------------------------+ 2775 | | | Network Security Services | 2776 | | | (NSS) 3.48.1 is a patch | 2777 | | | release for NSS 3.48. The bug | 2778 | | | fixes in NSS 3.48.1 are | 2779 | | | described in the "Bugs Fixed" | 2780 | | | section below. It was released | 2781 | | | on **13 January 2020**. | 2782 +--------------------------------+--------------------------------+--------------------------------+ 2783 | | | | 2784 +--------------------------------+--------------------------------+--------------------------------+ 2785 | 158 | :ref:`mozilla_projec | | 2786 | | ts_nss_nss_3_49_release_notes` | | 2787 +--------------------------------+--------------------------------+--------------------------------+ 2788 | | | The NSS team has released | 2789 | | | Network Security Services | 2790 | | | (NSS) 3.49 on **3 January | 2791 | | | 2020**, which is a minor | 2792 | | | release. | 2793 +--------------------------------+--------------------------------+--------------------------------+ 2794 | | | | 2795 +--------------------------------+--------------------------------+--------------------------------+ 2796 | 159 | :ref:`mozilla_projects | | 2797 | | _nss_nss_3_49_1_release_notes` | | 2798 +--------------------------------+--------------------------------+--------------------------------+ 2799 | | | Network Security Services | 2800 | | | (NSS) 3.49.1 is a patch | 2801 | | | release for NSS 3.49. The bug | 2802 | | | fixes in NSS 3.49.1 are | 2803 | | | described in the "Bugs Fixed" | 2804 | | | section below. It was released | 2805 | | | on **13 January 2020**. | 2806 +--------------------------------+--------------------------------+--------------------------------+ 2807 | | | | 2808 +--------------------------------+--------------------------------+--------------------------------+ 2809 | 160 | :ref:`mozilla_projects | | 2810 | | _nss_nss_3_49_2_release_notes` | | 2811 +--------------------------------+--------------------------------+--------------------------------+ 2812 | | | Network Security Services | 2813 | | | (NSS) 3.49.2 is a patch | 2814 | | | release for NSS 3.49. The bug | 2815 | | | fixes in NSS 3.49.2 are | 2816 | | | described in the "Bugs Fixed" | 2817 | | | section below. It was released | 2818 | | | on **23 January 2020**. | 2819 +--------------------------------+--------------------------------+--------------------------------+ 2820 | | | | 2821 +--------------------------------+--------------------------------+--------------------------------+ 2822 | 161 | :ref:`mozilla_projec | | 2823 | | ts_nss_nss_3_50_release_notes` | | 2824 +--------------------------------+--------------------------------+--------------------------------+ 2825 | | | The NSS team has released | 2826 | | | Network Security Services | 2827 | | | (NSS) 3.50 on **7 February | 2828 | | | 2020**, which is a minor | 2829 | | | release. | 2830 +--------------------------------+--------------------------------+--------------------------------+ 2831 | | | | 2832 +--------------------------------+--------------------------------+--------------------------------+ 2833 | 162 | :ref:`mozilla_projec | | 2834 | | ts_nss_nss_3_51_release_notes` | | 2835 +--------------------------------+--------------------------------+--------------------------------+ 2836 | | | The NSS team has released | 2837 | | | Network Security Services | 2838 | | | (NSS) 3.51 on **6 March | 2839 | | | 2020**, which is a minor | 2840 | | | release. | 2841 +--------------------------------+--------------------------------+--------------------------------+ 2842 | | | | 2843 +--------------------------------+--------------------------------+--------------------------------+ 2844 | 163 | :ref:`mozilla_projects | | 2845 | | _nss_nss_3_51_1_release_notes` | | 2846 +--------------------------------+--------------------------------+--------------------------------+ 2847 | | | The NSS team has released | 2848 | | | Network Security Services | 2849 | | | (NSS) 3.51.1 on **3 April | 2850 | | | 2020**. This is a minor | 2851 | | | release focusing on functional | 2852 | | | bug fixes and low-risk patches | 2853 | | | only. | 2854 +--------------------------------+--------------------------------+--------------------------------+ 2855 | | | | 2856 +--------------------------------+--------------------------------+--------------------------------+ 2857 | 164 | :ref:`mozilla_projec | | 2858 | | ts_nss_nss_3_52_release_notes` | | 2859 +--------------------------------+--------------------------------+--------------------------------+ 2860 | | | The NSS team has released | 2861 | | | Network Security Services | 2862 | | | (NSS) 3.52 on **1 May 2020**. | 2863 +--------------------------------+--------------------------------+--------------------------------+ 2864 | | | | 2865 +--------------------------------+--------------------------------+--------------------------------+ 2866 | 165 | :ref:`mozilla_projects | | 2867 | | _nss_nss_3_52_1_release_notes` | | 2868 +--------------------------------+--------------------------------+--------------------------------+ 2869 | | | The NSS team has released | 2870 | | | Network Security Services | 2871 | | | (NSS) 3.52.1 on **19 May | 2872 | | | 2020**. This is a security | 2873 | | | patch release. | 2874 +--------------------------------+--------------------------------+--------------------------------+ 2875 | | | | 2876 +--------------------------------+--------------------------------+--------------------------------+ 2877 | 166 | :ref:`mozilla_projec | | 2878 | | ts_nss_nss_3_53_release_notes` | | 2879 +--------------------------------+--------------------------------+--------------------------------+ 2880 | | | The NSS team released Network | 2881 | | | Security Services (NSS) 3.53 | 2882 | | | on **29 May 2020**. NSS 3.53 | 2883 | | | will be a long-term support | 2884 | | | release, supporting Firefox 78 | 2885 | | | ESR. | 2886 +--------------------------------+--------------------------------+--------------------------------+ 2887 | | | | 2888 +--------------------------------+--------------------------------+--------------------------------+ 2889 | 167 | :ref:`mozilla_projects | | 2890 | | _nss_nss_3_53_1_release_notes` | | 2891 +--------------------------------+--------------------------------+--------------------------------+ 2892 | | | The NSS team has released | 2893 | | | Network Security Services | 2894 | | | (NSS) 3.53.1 on **16 June | 2895 | | | 2020**. This is a security | 2896 | | | patch release. | 2897 +--------------------------------+--------------------------------+--------------------------------+ 2898 | | | | 2899 +--------------------------------+--------------------------------+--------------------------------+ 2900 | 168 | :ref:`mozilla_projec | | 2901 | | ts_nss_nss_3_54_release_notes` | | 2902 +--------------------------------+--------------------------------+--------------------------------+ 2903 | | | The NSS team has released | 2904 | | | Network Security Services | 2905 | | | (NSS) 3.54 on **26 June | 2906 | | | 2020**, which is a minor | 2907 | | | release. | 2908 +--------------------------------+--------------------------------+--------------------------------+ 2909 | | | | 2910 +--------------------------------+--------------------------------+--------------------------------+ 2911 | 169 | :ref:`mozilla_projec | | 2912 | | ts_nss_nss_3_55_release_notes` | | 2913 +--------------------------------+--------------------------------+--------------------------------+ 2914 | | | The NSS team has released | 2915 | | | Network Security Services | 2916 | | | (NSS) 3.55 on **24 July | 2917 | | | 2020**, which is a minor | 2918 | | | release. | 2919 +--------------------------------+--------------------------------+--------------------------------+ 2920 | | | | 2921 +--------------------------------+--------------------------------+--------------------------------+ 2922 | 170 | :ref:`mozilla_projec | | 2923 | | ts_nss_nss_3_56_release_notes` | | 2924 +--------------------------------+--------------------------------+--------------------------------+ 2925 | | | The NSS team has released | 2926 | | | Network Security Services | 2927 | | | (NSS) 3.56 on **21 August | 2928 | | | 2020**, which is a minor | 2929 | | | release. | 2930 +--------------------------------+--------------------------------+--------------------------------+ 2931 | | | | 2932 +--------------------------------+--------------------------------+--------------------------------+ 2933 | 171 | :ref:`mozilla_projec | | 2934 | | ts_nss_nss_3_57_release_notes` | | 2935 +--------------------------------+--------------------------------+--------------------------------+ 2936 | | | The NSS team has released | 2937 | | | Network Security Services | 2938 | | | (NSS) 3.57 on **18 September | 2939 | | | 2020**, which is a minor | 2940 | | | release. | 2941 +--------------------------------+--------------------------------+--------------------------------+ 2942 | | | | 2943 +--------------------------------+--------------------------------+--------------------------------+ 2944 | 172 | :ref:`mozilla_projec | | 2945 | | ts_nss_nss_3_58_release_notes` | | 2946 +--------------------------------+--------------------------------+--------------------------------+ 2947 | | | The NSS team has released | 2948 | | | Network Security Services | 2949 | | | (NSS) 3.58 on **16 October | 2950 | | | 2020**, which is a minor | 2951 | | | release. | 2952 +--------------------------------+--------------------------------+--------------------------------+ 2953 | | | | 2954 +--------------------------------+--------------------------------+--------------------------------+ 2955 | 173 | :ref:`mozilla_projec | | 2956 | | ts_nss_nss_3_59_release_notes` | | 2957 +--------------------------------+--------------------------------+--------------------------------+ 2958 | | | The NSS team has released | 2959 | | | Network Security Services | 2960 | | | (NSS) 3.59 on **13 November | 2961 | | | 2020**, which is a minor | 2962 | | | release. | 2963 +--------------------------------+--------------------------------+--------------------------------+ 2964 | | | | 2965 +--------------------------------+--------------------------------+--------------------------------+ 2966 | 174 | :ref:`mozilla_projects | | 2967 | | _nss_nss_3_59_1_release_notes` | | 2968 +--------------------------------+--------------------------------+--------------------------------+ 2969 | | | The NSS team has released | 2970 | | | Network Security Services | 2971 | | | (NSS) 3.59.1 on **18 December | 2972 | | | 2020**, which is a patch | 2973 | | | release for NSS 3.59. | 2974 +--------------------------------+--------------------------------+--------------------------------+ 2975 | | | | 2976 +--------------------------------+--------------------------------+--------------------------------+ 2977 | 175 | :ref:`mozilla_projec | | 2978 | | ts_nss_nss_3_60_release_notes` | | 2979 +--------------------------------+--------------------------------+--------------------------------+ 2980 | | | The NSS team has released | 2981 | | | Network Security Services | 2982 | | | (NSS) 3.60 on **11 December | 2983 | | | 2020**, which is a minor | 2984 | | | release. | 2985 +--------------------------------+--------------------------------+--------------------------------+ 2986 | | | | 2987 +--------------------------------+--------------------------------+--------------------------------+ 2988 | 176 | :ref:`mozilla_projects | | 2989 | | _nss_nss_3_60_1_release_notes` | | 2990 +--------------------------------+--------------------------------+--------------------------------+ 2991 | | | The NSS team released Network | 2992 | | | Security Services (NSS) 3.60.1 | 2993 | | | on **4 January 2021**, which | 2994 | | | is a patch release for NSS | 2995 | | | 3.60. | 2996 +--------------------------------+--------------------------------+--------------------------------+ 2997 | | | | 2998 +--------------------------------+--------------------------------+--------------------------------+ 2999 | 177 | :ref:`mozilla_projec | | 3000 | | ts_nss_nss_3_61_release_notes` | | 3001 +--------------------------------+--------------------------------+--------------------------------+ 3002 | | | The NSS team released Network | 3003 | | | Security Services (NSS) 3.61 | 3004 | | | on **22 January 2021**, which | 3005 | | | is a minor release. | 3006 +--------------------------------+--------------------------------+--------------------------------+ 3007 | | | | 3008 +--------------------------------+--------------------------------+--------------------------------+ 3009 | 178 | :ref:`mozilla_projec | | 3010 | | ts_nss_nss_3_62_release_notes` | | 3011 +--------------------------------+--------------------------------+--------------------------------+ 3012 | | | The NSS team released Network | 3013 | | | Security Services (NSS) 3.62 | 3014 | | | on **19 February 2021**, which | 3015 | | | is a minor release. | 3016 +--------------------------------+--------------------------------+--------------------------------+ 3017 | | | | 3018 +--------------------------------+--------------------------------+--------------------------------+ 3019 | 179 | :ref:`mozilla_projec | | 3020 | | ts_nss_nss_3_63_release_notes` | | 3021 +--------------------------------+--------------------------------+--------------------------------+ 3022 | | | Network Security Services | 3023 | | | (NSS) 3.63 was released on | 3024 | | | **18 March 2021**. | 3025 +--------------------------------+--------------------------------+--------------------------------+ 3026 | | | | 3027 +--------------------------------+--------------------------------+--------------------------------+ 3028 | 180 | :ref:`mozilla_projects | | 3029 | | _nss_nss_3_63_1_release_notes` | | 3030 +--------------------------------+--------------------------------+--------------------------------+ 3031 | | | Network Security Services | 3032 | | | (NSS) 3.63.1 was released on | 3033 | | | **6 April 2021**. | 3034 +--------------------------------+--------------------------------+--------------------------------+ 3035 | | | | 3036 +--------------------------------+--------------------------------+--------------------------------+ 3037 | 181 | :ref:`mozilla_projec | | 3038 | | ts_nss_nss_3_64_release_notes` | | 3039 +--------------------------------+--------------------------------+--------------------------------+ 3040 | | | Network Security Services | 3041 | | | (NSS) 3.64 was released on | 3042 | | | **15 April 2021**. | 3043 +--------------------------------+--------------------------------+--------------------------------+ 3044 | | | | 3045 +--------------------------------+--------------------------------+--------------------------------+ 3046 | 182 | :ref:`mozilla_pr | | 3047 | | ojects_nss_nss_api_guidelines` | | 3048 +--------------------------------+--------------------------------+--------------------------------+ 3049 | | | Newsgroup: | 3050 | | | `mozilla.dev.tech | 3051 | | | .crypto <news://news.mozilla.o | 3052 | | | rg/mozilla.dev.tech.crypto>`__ | 3053 +--------------------------------+--------------------------------+--------------------------------+ 3054 | | | | 3055 +--------------------------------+--------------------------------+--------------------------------+ 3056 | 183 | :ref:`mozilla_pr | | 3057 | | ojects_nss_nss_config_options` | | 3058 +--------------------------------+--------------------------------+--------------------------------+ 3059 | | | The specified ciphers will be | 3060 | | | allowed by policy, but an | 3061 | | | application may allow more by | 3062 | | | policy explicitly: | 3063 +--------------------------------+--------------------------------+--------------------------------+ 3064 | | | | 3065 +--------------------------------+--------------------------------+--------------------------------+ 3066 | 184 | :ref:`mozilla_projec | **NSS, Tutorial** | 3067 | | ts_nss_nss_developer_tutorial` | | 3068 +--------------------------------+--------------------------------+--------------------------------+ 3069 | | | **Line length** should not | 3070 | | | exceed 80 characters. | 3071 +--------------------------------+--------------------------------+--------------------------------+ 3072 | | | | 3073 +--------------------------------+--------------------------------+--------------------------------+ 3074 | 185 | :ref:`mozilla_projects_n | | 3075 | | ss_nss_release_notes_template` | | 3076 +--------------------------------+--------------------------------+--------------------------------+ 3077 | | | The NSS team has released | 3078 | | | Network Security Services | 3079 | | | (NSS) 3.XX, which is a minor | 3080 | | | release. | 3081 | | | or | 3082 | | | Network Security Services | 3083 | | | (NSS) 3.XX.y is a patch | 3084 | | | release for NSS 3.XX. The bug | 3085 | | | fixes in NSS 3.XX.y are | 3086 | | | described in the "Bugs Fixed" | 3087 | | | section below. | 3088 +--------------------------------+--------------------------------+--------------------------------+ 3089 | | | | 3090 +--------------------------------+--------------------------------+--------------------------------+ 3091 | 186 | :ref:`mozi | **Landing, Mozilla, NSS, | 3092 | | lla_projects_nss_nss_releases` | Networking, Project, Release | 3093 | | | Notes, Security** | 3094 +--------------------------------+--------------------------------+--------------------------------+ 3095 | | | The current **Stable** release | 3096 | | | of NSS is 3.64, which was | 3097 | | | released on **15 April 2021**. | 3098 | | | (:ref:`mozilla_project | 3099 | | | s_nss_nss_3_64_release_notes`) | 3100 +--------------------------------+--------------------------------+--------------------------------+ 3101 | | | | 3102 +--------------------------------+--------------------------------+--------------------------------+ 3103 | 187 | :ref:`mozilla | **Example** | 3104 | | _projects_nss_nss_sample_code` | | 3105 +--------------------------------+--------------------------------+--------------------------------+ 3106 | | | The collection of sample code | 3107 | | | here demonstrates how NSS can | 3108 | | | be used for cryptographic | 3109 | | | operations, certificate | 3110 | | | handling, SSL, etc. It also | 3111 | | | demonstrates some best | 3112 | | | practices in the application | 3113 | | | of cryptography. | 3114 +--------------------------------+--------------------------------+--------------------------------+ 3115 | | | | 3116 +--------------------------------+--------------------------------+--------------------------------+ 3117 | 188 | :ref:`mozilla_projec | | 3118 | | ts_nss_nss_sample_code_enc_dec | | 3119 | | _mac_output_plblic_key_as_csr` | | 3120 +--------------------------------+--------------------------------+--------------------------------+ 3121 | | | Generates encryption/mac keys | 3122 | | | and outputs public key as | 3123 | | | certificate signing request | 3124 +--------------------------------+--------------------------------+--------------------------------+ 3125 | | | | 3126 +--------------------------------+--------------------------------+--------------------------------+ 3127 | 189 | :ref:`mozilla_projects_nss_ns | | 3128 | | s_sample_code_enc_dec_mac_usin | | 3129 | | g_key_wrap_certreq_pkcs10_csr` | | 3130 +--------------------------------+--------------------------------+--------------------------------+ 3131 | | | Generates encryption/mac keys | 3132 | | | and outputs public key as | 3133 | | | pkcs11 certificate signing | 3134 | | | request | 3135 +--------------------------------+--------------------------------+--------------------------------+ 3136 | | | | 3137 +--------------------------------+--------------------------------+--------------------------------+ 3138 | 190 | :ref:`mozilla_p | | 3139 | | rojects_nss_nss_sample_code_en | | 3140 | | crypt_decrypt_mac_using_token` | | 3141 +--------------------------------+--------------------------------+--------------------------------+ 3142 | | | Generates encryption/mac keys | 3143 | | | and uses token for storing. | 3144 +--------------------------------+--------------------------------+--------------------------------+ 3145 | | | | 3146 +--------------------------------+--------------------------------+--------------------------------+ 3147 | 191 | :ref:`mozilla_pr | **Examples, NSS, Security** | 3148 | | ojects_nss_nss_sample_code_nss | | 3149 | | _sample_code_sample_1_hashing` | | 3150 +--------------------------------+--------------------------------+--------------------------------+ 3151 | | | This is an example program | 3152 | | | that demonstrates how to | 3153 | | | compute the hash of a file and | 3154 | | | save it to another file. This | 3155 | | | program illustrates the use of | 3156 | | | NSS message APIs. | 3157 +--------------------------------+--------------------------------+--------------------------------+ 3158 | | | | 3159 +--------------------------------+--------------------------------+--------------------------------+ 3160 | 192 | :ref:`mozilla_projects_nss_nss | **Examples, NSS, Security** | 3161 | | _sample_code_nss_sample_code_s | | 3162 | | ample_2_initialization_of_nss` | | 3163 +--------------------------------+--------------------------------+--------------------------------+ 3164 | | | This example program | 3165 | | | demonstrates how to initialize | 3166 | | | the NSS Database. This | 3167 | | | program illustrates password | 3168 | | | handling. | 3169 +--------------------------------+--------------------------------+--------------------------------+ 3170 | | | | 3171 +--------------------------------+--------------------------------+--------------------------------+ 3172 | 193 | :ref | **Examples, NSS, Security** | 3173 | | :`mozilla_projects_nss_nss_sam | | 3174 | | ple_code_nss_sample_code_sampl | | 3175 | | e_3_basic_encryption_and_maci` | | 3176 +--------------------------------+--------------------------------+--------------------------------+ 3177 | | | This example program | 3178 | | | demonstrates how to encrypt | 3179 | | | and MAC a file. | 3180 +--------------------------------+--------------------------------+--------------------------------+ 3181 | | | | 3182 +--------------------------------+--------------------------------+--------------------------------+ 3183 | 194 | :ref:`m | | 3184 | | ozilla_projects_nss_nss_sample | | 3185 | | _code_nss_sample_code_sample1` | | 3186 +--------------------------------+--------------------------------+--------------------------------+ 3187 | | | This is an example program | 3188 | | | that demonstrates how to do | 3189 | | | key generation and transport | 3190 | | | between cooperating servers. | 3191 | | | This program shows the | 3192 | | | following: | 3193 +--------------------------------+--------------------------------+--------------------------------+ 3194 | | | | 3195 +--------------------------------+--------------------------------+--------------------------------+ 3196 | 195 | :ref:`m | | 3197 | | ozilla_projects_nss_nss_sample | | 3198 | | _code_nss_sample_code_sample2` | | 3199 +--------------------------------+--------------------------------+--------------------------------+ 3200 | | | *No summary!* | 3201 +--------------------------------+--------------------------------+--------------------------------+ 3202 | | | | 3203 +--------------------------------+--------------------------------+--------------------------------+ 3204 | 196 | :ref:`m | | 3205 | | ozilla_projects_nss_nss_sample | | 3206 | | _code_nss_sample_code_sample3` | | 3207 +--------------------------------+--------------------------------+--------------------------------+ 3208 | | | *No summary!* | 3209 +--------------------------------+--------------------------------+--------------------------------+ 3210 | | | | 3211 +--------------------------------+--------------------------------+--------------------------------+ 3212 | 197 | :ref:`m | | 3213 | | ozilla_projects_nss_nss_sample | | 3214 | | _code_nss_sample_code_sample4` | | 3215 +--------------------------------+--------------------------------+--------------------------------+ 3216 | | | *No summary!* | 3217 +--------------------------------+--------------------------------+--------------------------------+ 3218 | | | | 3219 +--------------------------------+--------------------------------+--------------------------------+ 3220 | 198 | :ref:`m | | 3221 | | ozilla_projects_nss_nss_sample | | 3222 | | _code_nss_sample_code_sample5` | | 3223 +--------------------------------+--------------------------------+--------------------------------+ 3224 | | | *No summary!* | 3225 +--------------------------------+--------------------------------+--------------------------------+ 3226 | | | | 3227 +--------------------------------+--------------------------------+--------------------------------+ 3228 | 199 | :ref:`m | | 3229 | | ozilla_projects_nss_nss_sample | | 3230 | | _code_nss_sample_code_sample6` | | 3231 +--------------------------------+--------------------------------+--------------------------------+ 3232 | | | *No summary!* | 3233 +--------------------------------+--------------------------------+--------------------------------+ 3234 | | | | 3235 +--------------------------------+--------------------------------+--------------------------------+ 3236 | 200 | :ref:`mozil | **Examples, NSS, Security** | 3237 | | la_projects_nss_nss_sample_cod | | 3238 | | e_nss_sample_code_utililies_1` | | 3239 +--------------------------------+--------------------------------+--------------------------------+ 3240 | | | This is a library of utilities | 3241 | | | used by many of the samples. | 3242 | | | This code shows the following: | 3243 +--------------------------------+--------------------------------+--------------------------------+ 3244 | | | | 3245 +--------------------------------+--------------------------------+--------------------------------+ 3246 | 201 | : | **HTML, Hashing Sample, | 3247 | | ref:`mozilla_projects_nss_nss_ | JavaScript, NSS, Web | 3248 | | sample_code_sample1_-_hashing` | Development, hashing** | 3249 +--------------------------------+--------------------------------+--------------------------------+ 3250 | | | The NSS same code below | 3251 | | | computes the hash of a file | 3252 | | | and saves it to another file, | 3253 | | | this illustrates the use of | 3254 | | | NSS message APIs. | 3255 +--------------------------------+--------------------------------+--------------------------------+ 3256 | | | | 3257 +--------------------------------+--------------------------------+--------------------------------+ 3258 | 202 | :ref:`mozilla_project | **Example, NSS** | 3259 | | s_nss_nss_sample_code_sample1` | | 3260 +--------------------------------+--------------------------------+--------------------------------+ 3261 | | | 1. A program to compute the | 3262 | | | hash of a file and save it to | 3263 | | | another file. | 3264 +--------------------------------+--------------------------------+--------------------------------+ 3265 | | | | 3266 +--------------------------------+--------------------------------+--------------------------------+ 3267 | 203 | :ref:`mozilla_pro | **HTML, JavaScript, NSS, NSS | 3268 | | jects_nss_nss_sample_code_samp | Article, NSS Initialization, | 3269 | | le2_-_initialize_nss_database` | Web Development** | 3270 +--------------------------------+--------------------------------+--------------------------------+ 3271 | | | The NSS sample code below | 3272 | | | demonstrates how to initialize | 3273 | | | the NSS database. | 3274 +--------------------------------+--------------------------------+--------------------------------+ 3275 | | | | 3276 +--------------------------------+--------------------------------+--------------------------------+ 3277 | 204 | :ref:`mozilla_project | | 3278 | | s_nss_nss_sample_code_sample2` | | 3279 +--------------------------------+--------------------------------+--------------------------------+ 3280 | | | *No summary!* | 3281 +--------------------------------+--------------------------------+--------------------------------+ 3282 | | | | 3283 +--------------------------------+--------------------------------+--------------------------------+ 3284 | 205 | :ref:`mozilla_projects | **EncDeCMac, HTML, NCC, NCC | 3285 | | _nss_nss_sample_code_sample3_- | Article, Web, Web | 3286 | | _encdecmac_using_token_object` | Development** | 3287 +--------------------------------+--------------------------------+--------------------------------+ 3288 | | | Computes the hash of a file | 3289 | | | and saves it to another file, | 3290 | | | illustrates the use of NSS | 3291 | | | message APIs. | 3292 +--------------------------------+--------------------------------+--------------------------------+ 3293 | | | | 3294 +--------------------------------+--------------------------------+--------------------------------+ 3295 | 206 | :ref:`moz | | 3296 | | illa_projects_nss_nss_sample_c | | 3297 | | ode_utiltiies_for_nss_samples` | | 3298 +--------------------------------+--------------------------------+--------------------------------+ 3299 | | | These utility functions are | 3300 | | | adapted from those found in | 3301 | | | the sectool library used by | 3302 | | | the NSS security tools and | 3303 | | | other NSS test applications. | 3304 +--------------------------------+--------------------------------+--------------------------------+ 3305 | | | | 3306 +--------------------------------+--------------------------------+--------------------------------+ 3307 | 207 | :ref:`mozilla_projects_nss | **Build documentation, Guide, | 3308 | | _nss_sources_building_testing` | NSS, Security** | 3309 +--------------------------------+--------------------------------+--------------------------------+ 3310 | | | Getting the source code of | 3311 | | | :ref:`mozilla_projects_nss`, | 3312 | | | how to build it, and how to | 3313 | | | run its test suite. | 3314 +--------------------------------+--------------------------------+--------------------------------+ 3315 | | | | 3316 +--------------------------------+--------------------------------+--------------------------------+ 3317 | 208 | :ref:`mozill | **NSS** | 3318 | | a_projects_nss_nss_tech_notes` | | 3319 +--------------------------------+--------------------------------+--------------------------------+ 3320 | | | Newsgroup: | 3321 | | | `mozilla.dev.tech | 3322 | | | .crypto <news://news.mozilla.o | 3323 | | | rg/mozilla.dev.tech.crypto>`__ | 3324 +--------------------------------+--------------------------------+--------------------------------+ 3325 | | | | 3326 +--------------------------------+--------------------------------+--------------------------------+ 3327 | 209 | :ref:`mozilla_projects_nss_ | | 3328 | | nss_tech_notes_nss_tech_note1` | | 3329 +--------------------------------+--------------------------------+--------------------------------+ 3330 | | | The main non-streaming APIs | 3331 | | | for these two decoders have an | 3332 | | | identical prototype : | 3333 +--------------------------------+--------------------------------+--------------------------------+ 3334 | | | | 3335 +--------------------------------+--------------------------------+--------------------------------+ 3336 | 210 | :ref:`mozilla_projects_nss_ | | 3337 | | nss_tech_notes_nss_tech_note2` | | 3338 +--------------------------------+--------------------------------+--------------------------------+ 3339 | | | The logger displays all | 3340 | | | activity between NSS and a | 3341 | | | specified PKCS #11 module. It | 3342 | | | works by inserting a special | 3343 | | | set of entry points between | 3344 | | | NSS and the module. | 3345 +--------------------------------+--------------------------------+--------------------------------+ 3346 | | | | 3347 +--------------------------------+--------------------------------+--------------------------------+ 3348 | 211 | :ref:`mozilla_projects_nss_ | | 3349 | | nss_tech_notes_nss_tech_note3` | | 3350 +--------------------------------+--------------------------------+--------------------------------+ 3351 | | | *No summary!* | 3352 +--------------------------------+--------------------------------+--------------------------------+ 3353 | | | | 3354 +--------------------------------+--------------------------------+--------------------------------+ 3355 | 212 | :ref:`mozilla_projects_nss_ | | 3356 | | nss_tech_notes_nss_tech_note4` | | 3357 +--------------------------------+--------------------------------+--------------------------------+ 3358 | | | *No summary!* | 3359 +--------------------------------+--------------------------------+--------------------------------+ 3360 | | | | 3361 +--------------------------------+--------------------------------+--------------------------------+ 3362 | 213 | :ref:`mozilla_projects_nss_ | | 3363 | | nss_tech_notes_nss_tech_note5` | | 3364 +--------------------------------+--------------------------------+--------------------------------+ 3365 | | | **Note:** AES encryption, a | 3366 | | | fixed blocksize of 16 bytes is | 3367 | | | used. The Rijndael algorithm | 3368 | | | permits 3 blocksizes (16, 24, | 3369 | | | 32 bytes), but the AES | 3370 | | | standard requires the | 3371 | | | blocksize to be 16 bytes. The | 3372 | | | keysize can vary and these | 3373 | | | keysizes are permitted: 16, | 3374 | | | 24, 32 bytes. | 3375 | | | You can also look at a `sample | 3376 | | | program <. | 3377 | | | ./sample-code/sample2.html>`__ | 3378 | | | illustrating encryption | 3379 +--------------------------------+--------------------------------+--------------------------------+ 3380 | | | | 3381 +--------------------------------+--------------------------------+--------------------------------+ 3382 | 214 | :ref:`mozilla_projects_nss_ | | 3383 | | nss_tech_notes_nss_tech_note6` | | 3384 +--------------------------------+--------------------------------+--------------------------------+ 3385 | | | The following applies to NSS | 3386 | | | 3.8 through 3.10 : | 3387 +--------------------------------+--------------------------------+--------------------------------+ 3388 | | | | 3389 +--------------------------------+--------------------------------+--------------------------------+ 3390 | 215 | :ref:`mozilla_projects_nss_ | | 3391 | | nss_tech_notes_nss_tech_note7` | | 3392 +--------------------------------+--------------------------------+--------------------------------+ 3393 | | | This technical note explains | 3394 | | | how to use NSS to perform RSA | 3395 | | | signing and encryption. The | 3396 | | | industry standard for RSA | 3397 | | | signing and encryption is | 3398 | | | `PKCS | 3399 | | | #1 <http://www.rsasecurity.com | 3400 | | | /rsalabs/node.asp?id=2125>`__. | 3401 | | | NSS supports PKCS #1 v1.5. NSS | 3402 | | | doesn't yet support PKCS #1 | 3403 | | | v2.0 and v2.1, in particular | 3404 | | | OAEP, but OAEP support is on | 3405 | | | our `to-do | 3406 | | | li | 3407 | | | st <https://bugzilla.mozilla.o | 3408 | | | rg/show_bug.cgi?id=158747>`__. | 3409 | | | Your contribution is welcome. | 3410 +--------------------------------+--------------------------------+--------------------------------+ 3411 | | | | 3412 +--------------------------------+--------------------------------+--------------------------------+ 3413 | 216 | :ref:`mozilla_projects_nss_ | | 3414 | | nss_tech_notes_nss_tech_note8` | | 3415 +--------------------------------+--------------------------------+--------------------------------+ 3416 | | | *No summary!* | 3417 +--------------------------------+--------------------------------+--------------------------------+ 3418 | | | | 3419 +--------------------------------+--------------------------------+--------------------------------+ 3420 | 217 | :ref:`mozilla_proj | **NSS, Security, Third-Party | 3421 | | ects_nss_nss_third-party_code` | Code** | 3422 +--------------------------------+--------------------------------+--------------------------------+ 3423 | | | This is a list of third-party | 3424 | | | code included in the NSS | 3425 | | | repository, broken into two | 3426 | | | lists: Code that can be | 3427 | | | compiled into the NSS | 3428 | | | libraries, and code that is | 3429 | | | only used for testing. | 3430 +--------------------------------+--------------------------------+--------------------------------+ 3431 | | | | 3432 +--------------------------------+--------------------------------+--------------------------------+ 3433 | 218 | :ref:`mozilla_proje | | 3434 | | cts_nss_nss_tools_sslstrength` | | 3435 +--------------------------------+--------------------------------+--------------------------------+ 3436 | | | 2) sslstrength hostname[:port] | 3437 | | | [ciphers=xyz] [debug] | 3438 | | | [verbose] | 3439 | | | [policy=export|domestic] | 3440 +--------------------------------+--------------------------------+--------------------------------+ 3441 | | | | 3442 +--------------------------------+--------------------------------+--------------------------------+ 3443 | 219 | :ref:` | **NSS** | 3444 | | mozilla_projects_nss_overview` | | 3445 +--------------------------------+--------------------------------+--------------------------------+ 3446 | | | If you want to add support for | 3447 | | | SSL, S/MIME, or other Internet | 3448 | | | security standards to your | 3449 | | | application, you can use | 3450 | | | Network Security Services | 3451 | | | (NSS) to implement all your | 3452 | | | security features. NSS | 3453 | | | provides a complete | 3454 | | | open-source implementation of | 3455 | | | the crypto libraries used by | 3456 | | | AOL, Red Hat, Google, and | 3457 | | | other companies in a variety | 3458 | | | of products, including the | 3459 | | | following: | 3460 +--------------------------------+--------------------------------+--------------------------------+ 3461 | | | | 3462 +--------------------------------+--------------------------------+--------------------------------+ 3463 | 220 | :ref:`mozilla_p | **NSS** | 3464 | | rojects_nss_pkcs_12_functions` | | 3465 +--------------------------------+--------------------------------+--------------------------------+ 3466 | | | The public functions listed | 3467 | | | here perform PKCS #12 | 3468 | | | operations required by some of | 3469 | | | the NSS tools and other | 3470 | | | applications. | 3471 +--------------------------------+--------------------------------+--------------------------------+ 3472 | | | | 3473 +--------------------------------+--------------------------------+--------------------------------+ 3474 | 221 | :ref:`mozilla_ | **NSS** | 3475 | | projects_nss_pkcs_7_functions` | | 3476 +--------------------------------+--------------------------------+--------------------------------+ 3477 | | | The public functions listed | 3478 | | | here perform PKCS #7 | 3479 | | | operations required by mail | 3480 | | | and news applications and by | 3481 | | | some of the NSS tools. | 3482 +--------------------------------+--------------------------------+--------------------------------+ 3483 | | | | 3484 +--------------------------------+--------------------------------+--------------------------------+ 3485 | 222 | :ref:`mozilla_ | **NSS** | 3486 | | projects_nss_pkcs11_functions` | | 3487 +--------------------------------+--------------------------------+--------------------------------+ 3488 | | | This chapter describes the | 3489 | | | core PKCS #11 functions that | 3490 | | | an application needs for | 3491 | | | communicating with | 3492 | | | cryptographic modules. In | 3493 | | | particular, these functions | 3494 | | | are used for obtaining | 3495 | | | certificates, keys, and | 3496 | | | passwords. This was converted | 3497 | | | from `"Chapter 7: PKCS #11 | 3498 | | | Functions" <https://www.m | 3499 | | | ozilla.org/projects/security/p | 3500 | | | ki/nss/ref/ssl/pkfnc.html>`__. | 3501 +--------------------------------+--------------------------------+--------------------------------+ 3502 | | | | 3503 +--------------------------------+--------------------------------+--------------------------------+ 3504 | 223 | :ref:`mozilla_ | | 3505 | | projects_nss_pkcs11_implement` | | 3506 +--------------------------------+--------------------------------+--------------------------------+ 3507 | | | **NOTE:** This document was | 3508 | | | originally for the Netscape | 3509 | | | Security Library that came | 3510 | | | with Netscape Communicator | 3511 | | | 4.0. This note will be removed | 3512 | | | once the document is updated | 3513 | | | for the current version of | 3514 | | | NSS. | 3515 +--------------------------------+--------------------------------+--------------------------------+ 3516 | | | | 3517 +--------------------------------+--------------------------------+--------------------------------+ 3518 | 224 | :ref | **NSS, Security** | 3519 | | :`mozilla_projects_nss_pkcs11` | | 3520 +--------------------------------+--------------------------------+--------------------------------+ 3521 | | | PKCS #11 information for | 3522 | | | implementors of cryptographic | 3523 | | | modules: | 3524 +--------------------------------+--------------------------------+--------------------------------+ 3525 | | | | 3526 +--------------------------------+--------------------------------+--------------------------------+ 3527 | 225 | :ref:`mo | **NSS, Security** | 3528 | | zilla_projects_nss_pkcs11_faq` | | 3529 +--------------------------------+--------------------------------+--------------------------------+ 3530 | | | NSS searches all the installed | 3531 | | | PKCS #11 modules when looking | 3532 | | | for certificates. Once you've | 3533 | | | installed the module, the | 3534 | | | module's certificates simply | 3535 | | | appear in the list of | 3536 | | | certificates displayed in the | 3537 | | | Certificate window. | 3538 +--------------------------------+--------------------------------+--------------------------------+ 3539 | | | | 3540 +--------------------------------+--------------------------------+--------------------------------+ 3541 | 226 | :ref:`mozilla_projects_n | **Authentication, Biometric, | 3542 | | ss_pkcs11_module_installation` | Mozilla, NSS, PKCS #11, | 3543 | | | Projects, Security, Smart | 3544 | | | Card, Smart-card, Smartcard, | 3545 | | | pkcs11** | 3546 +--------------------------------+--------------------------------+--------------------------------+ 3547 | | | `PKCS #11 </en-US/PKCS11>`__ | 3548 | | | modules are external modules | 3549 | | | which add to Firefox support | 3550 | | | for smartcard readers, | 3551 | | | biometric security devices, | 3552 | | | and external certificate | 3553 | | | stores. This article covers | 3554 | | | the two methods for installing | 3555 | | | PKCS #11 modules into Firefox. | 3556 +--------------------------------+--------------------------------+--------------------------------+ 3557 | | | | 3558 +--------------------------------+--------------------------------+--------------------------------+ 3559 | 227 | :ref:`mozilla_pro | **NSS** | 3560 | | jects_nss_pkcs11_module_specs` | | 3561 +--------------------------------+--------------------------------+--------------------------------+ 3562 | | | The following is a proposal to | 3563 | | | the | 3564 | | | `PKCS <https:// | 3565 | | | en.wikipedia.org/wiki/PKCS>`__ | 3566 | | | #11 working group made in | 3567 | | | August 2001 for configuring | 3568 | | | PKCS #11 modules. NSS | 3569 | | | currently implements this | 3570 | | | proposal internally. | 3571 +--------------------------------+--------------------------------+--------------------------------+ 3572 | | | | 3573 +--------------------------------+--------------------------------+--------------------------------+ 3574 | 228 | :ref:`mozilla_projec | | 3575 | | ts_nss_python_binding_for_nss` | | 3576 +--------------------------------+--------------------------------+--------------------------------+ 3577 | | | python-nss is a Python binding | 3578 | | | for NSS (Network Security | 3579 | | | Services) and NSPR (Netscape | 3580 | | | Portable Runtime). NSS | 3581 | | | provides cryptography services | 3582 | | | supporting SSL, TLS, PKI, | 3583 | | | PKIX, X509, PKCS*, etc. NSS is | 3584 | | | an alternative to OpenSSL and | 3585 | | | used extensively by major | 3586 | | | software projects. NSS is | 3587 | | | FIPS-140 certified. | 3588 +--------------------------------+--------------------------------+--------------------------------+ 3589 | | | | 3590 +--------------------------------+--------------------------------+--------------------------------+ 3591 | 229 | :ref:`m | **NSS** | 3592 | | ozilla_projects_nss_reference` | | 3593 +--------------------------------+--------------------------------+--------------------------------+ 3594 | | | Based on | 3595 | | | :ref:`mozilla_projec | 3596 | | | ts_nss_ssl_functions_sslintro` | 3597 | | | in the SSL Reference. | 3598 +--------------------------------+--------------------------------+--------------------------------+ 3599 | | | | 3600 +--------------------------------+--------------------------------+--------------------------------+ 3601 | 230 | :ref: | **NSS** | 3602 | | `mozilla_projects_nss_referenc | | 3603 | | e_building_and_installing_nss` | | 3604 +--------------------------------+--------------------------------+--------------------------------+ 3605 | | | This chapter describes how to | 3606 | | | build and install NSS. | 3607 +--------------------------------+--------------------------------+--------------------------------+ 3608 | | | | 3609 +--------------------------------+--------------------------------+--------------------------------+ 3610 | 231 | :ref:`mozilla_projects_n | **NSS** | 3611 | | ss_reference_building_and_inst | | 3612 | | alling_nss_build_instructions` | | 3613 +--------------------------------+--------------------------------+--------------------------------+ 3614 | | | Numerous optional features of | 3615 | | | NSS builds are controlled | 3616 | | | through make variables. | 3617 +--------------------------------+--------------------------------+--------------------------------+ 3618 | | | | 3619 +--------------------------------+--------------------------------+--------------------------------+ 3620 | 232 | :ref:`mozilla_projects_n | **NSS** | 3621 | | ss_reference_building_and_inst | | 3622 | | alling_nss_installation_guide` | | 3623 +--------------------------------+--------------------------------+--------------------------------+ 3624 | | | The build system of NSS | 3625 | | | originated from Netscape's | 3626 | | | build system, which predated | 3627 | | | the "configure; make; make | 3628 | | | test; make install" sequence | 3629 | | | that we're familiar with now. | 3630 | | | Our makefiles also have an | 3631 | | | "install" target, but it has a | 3632 | | | different meaning: our | 3633 | | | "install" means installing the | 3634 | | | headers, libraries, and | 3635 | | | programs in the appropriate | 3636 | | | directories under | 3637 | | | mozilla/dist. | 3638 +--------------------------------+--------------------------------+--------------------------------+ 3639 | | | | 3640 +--------------------------------+--------------------------------+--------------------------------+ 3641 | 233 | :ref:`mozilla_project | | 3642 | | s_nss_reference_building_and_i | | 3643 | | nstalling_nss_migration_to_hg` | | 3644 +--------------------------------+--------------------------------+--------------------------------+ 3645 | | | The NSPR, NSS and related | 3646 | | | projects have stopped using | 3647 | | | Mozilla'a CVS server, but have | 3648 | | | migrated to | 3649 | | | Mozilla's HG (Mercurial) | 3650 | | | server. | 3651 | | | Each project now lives in its | 3652 | | | own separate space, they can | 3653 | | | be found at: | 3654 | | | https:/ | 3655 | | | /hg.mozilla.org/projects/nspr/ | 3656 | | | https: | 3657 | | | //hg.mozilla.org/projects/nss/ | 3658 | | | https: | 3659 | | | //hg.mozilla.org/projects/jss/ | 3660 | | | | 3661 | | | https://hg.mo | 3662 | | | zilla.org/projects/python-nss/ | 3663 +--------------------------------+--------------------------------+--------------------------------+ 3664 | | | | 3665 +--------------------------------+--------------------------------+--------------------------------+ 3666 | 234 | :r | **NSS** | 3667 | | ef:`mozilla_projects_nss_refer | | 3668 | | ence_building_and_installing_n | | 3669 | | ss_sample_manual_installation` | | 3670 +--------------------------------+--------------------------------+--------------------------------+ 3671 | | | The NSS build system does not | 3672 | | | include a target to install | 3673 | | | header files and shared | 3674 | | | libraries in the system | 3675 | | | directories, so this needs to | 3676 | | | be done manually. | 3677 +--------------------------------+--------------------------------+--------------------------------+ 3678 | | | | 3679 +--------------------------------+--------------------------------+--------------------------------+ 3680 | 235 | :ref:`mozilla_projects_ns | **NSS** | 3681 | | s_reference_fc_cancelfunction` | | 3682 +--------------------------------+--------------------------------+--------------------------------+ 3683 | | | FC_CancelFunction - cancel a | 3684 | | | function running in parallel | 3685 +--------------------------------+--------------------------------+--------------------------------+ 3686 | | | | 3687 +--------------------------------+--------------------------------+--------------------------------+ 3688 | 236 | :ref:`mozilla_projects_nss_ | **NSS** | 3689 | | reference_fc_closeallsessions` | | 3690 +--------------------------------+--------------------------------+--------------------------------+ 3691 | | | FC_CloseAllSessions - close | 3692 | | | all sessions between an | 3693 | | | application and a token. | 3694 +--------------------------------+--------------------------------+--------------------------------+ 3695 | | | | 3696 +--------------------------------+--------------------------------+--------------------------------+ 3697 | 237 | :ref:`mozilla_projects_ | **NSS** | 3698 | | nss_reference_fc_closesession` | | 3699 +--------------------------------+--------------------------------+--------------------------------+ 3700 | | | FC_CloseSession - close a | 3701 | | | session opened between an | 3702 | | | application and a token. | 3703 +--------------------------------+--------------------------------+--------------------------------+ 3704 | | | | 3705 +--------------------------------+--------------------------------+--------------------------------+ 3706 | 238 | :ref:`mozilla_project | **NSS** | 3707 | | s_nss_reference_fc_copyobject` | | 3708 +--------------------------------+--------------------------------+--------------------------------+ 3709 | | | FC_CopyObject - create a copy | 3710 | | | of an object. | 3711 +--------------------------------+--------------------------------+--------------------------------+ 3712 | | | | 3713 +--------------------------------+--------------------------------+--------------------------------+ 3714 | 239 | :ref:`mozilla_projects_ | **NSS** | 3715 | | nss_reference_fc_createobject` | | 3716 +--------------------------------+--------------------------------+--------------------------------+ 3717 | | | FC_CreateObject - create a new | 3718 | | | object. | 3719 +--------------------------------+--------------------------------+--------------------------------+ 3720 | | | | 3721 +--------------------------------+--------------------------------+--------------------------------+ 3722 | 240 | :ref:`mozilla_proj | **NSS** | 3723 | | ects_nss_reference_fc_decrypt` | | 3724 +--------------------------------+--------------------------------+--------------------------------+ 3725 | | | FC_Decrypt - Decrypt a block | 3726 | | | of data. | 3727 +--------------------------------+--------------------------------+--------------------------------+ 3728 | | | | 3729 +--------------------------------+--------------------------------+--------------------------------+ 3730 | 241 | :ref:`mozilla_projects_nss_ref | **NSS** | 3731 | | erence_fc_decryptdigestupdate` | | 3732 +--------------------------------+--------------------------------+--------------------------------+ 3733 | | | FC_DecryptDigestUpdate - | 3734 | | | continue a multi-part decrypt | 3735 | | | and digest operation | 3736 +--------------------------------+--------------------------------+--------------------------------+ 3737 | | | | 3738 +--------------------------------+--------------------------------+--------------------------------+ 3739 | 242 | :ref:`mozilla_projects_ | **NSS** | 3740 | | nss_reference_fc_decryptfinal` | | 3741 +--------------------------------+--------------------------------+--------------------------------+ 3742 | | | FC_DecryptFinal - finish a | 3743 | | | multi-part decryption | 3744 | | | operation. | 3745 +--------------------------------+--------------------------------+--------------------------------+ 3746 | | | | 3747 +--------------------------------+--------------------------------+--------------------------------+ 3748 | 243 | :ref:`mozilla_projects | **NSS** | 3749 | | _nss_reference_fc_decryptinit` | | 3750 +--------------------------------+--------------------------------+--------------------------------+ 3751 | | | FC_DecryptInit - initialize a | 3752 | | | decryption operation. | 3753 +--------------------------------+--------------------------------+--------------------------------+ 3754 | | | | 3755 +--------------------------------+--------------------------------+--------------------------------+ 3756 | 244 | :ref:`mozilla_projects_n | **NSS** | 3757 | | ss_reference_fc_decryptupdate` | | 3758 +--------------------------------+--------------------------------+--------------------------------+ 3759 | | | FC_DecryptUpdate - decrypt a | 3760 | | | block of a multi-part | 3761 | | | encryption operation. | 3762 +--------------------------------+--------------------------------+--------------------------------+ 3763 | | | | 3764 +--------------------------------+--------------------------------+--------------------------------+ 3765 | 245 | :ref:`mozilla_projects_nss_ref | **NSS** | 3766 | | erence_fc_decryptverifyupdate` | | 3767 +--------------------------------+--------------------------------+--------------------------------+ 3768 | | | FC_DecryptVerifyUpdate - | 3769 | | | continue a multi-part decrypt | 3770 | | | and verify operation | 3771 +--------------------------------+--------------------------------+--------------------------------+ 3772 | | | | 3773 +--------------------------------+--------------------------------+--------------------------------+ 3774 | 246 | :ref:`mozilla_projec | **NSS** | 3775 | | ts_nss_reference_fc_derivekey` | | 3776 +--------------------------------+--------------------------------+--------------------------------+ 3777 | | | FC_DeriveKey - derive a key | 3778 | | | from a base key | 3779 +--------------------------------+--------------------------------+--------------------------------+ 3780 | | | | 3781 +--------------------------------+--------------------------------+--------------------------------+ 3782 | 247 | :ref:`mozilla_projects_n | **NSS** | 3783 | | ss_reference_fc_destroyobject` | | 3784 +--------------------------------+--------------------------------+--------------------------------+ 3785 | | | FC_DestroyObject - destroy an | 3786 | | | object. | 3787 +--------------------------------+--------------------------------+--------------------------------+ 3788 | | | | 3789 +--------------------------------+--------------------------------+--------------------------------+ 3790 | 248 | :ref:`mozilla_pro | **NSS** | 3791 | | jects_nss_reference_fc_digest` | | 3792 +--------------------------------+--------------------------------+--------------------------------+ 3793 | | | FC_Digest - digest a block of | 3794 | | | data. | 3795 +--------------------------------+--------------------------------+--------------------------------+ 3796 | | | | 3797 +--------------------------------+--------------------------------+--------------------------------+ 3798 | 249 | :ref:`mozilla_projects_nss_ref | **NSS** | 3799 | | erence_fc_digestencryptupdate` | | 3800 +--------------------------------+--------------------------------+--------------------------------+ 3801 | | | FC_DigestEncryptUpdate - | 3802 | | | continue a multi-part digest | 3803 | | | and encryption operation | 3804 +--------------------------------+--------------------------------+--------------------------------+ 3805 | | | | 3806 +--------------------------------+--------------------------------+--------------------------------+ 3807 | 250 | :ref:`mozilla_projects | **NSS** | 3808 | | _nss_reference_fc_digestfinal` | | 3809 +--------------------------------+--------------------------------+--------------------------------+ 3810 | | | FC_DigestFinal - finish a | 3811 | | | multi-part digest operation. | 3812 +--------------------------------+--------------------------------+--------------------------------+ 3813 | | | | 3814 +--------------------------------+--------------------------------+--------------------------------+ 3815 | 251 | :ref:`mozilla_project | **NSS** | 3816 | | s_nss_reference_fc_digestinit` | | 3817 +--------------------------------+--------------------------------+--------------------------------+ 3818 | | | FC_DigestInit - initialize a | 3819 | | | message-digest operation. | 3820 +--------------------------------+--------------------------------+--------------------------------+ 3821 | | | | 3822 +--------------------------------+--------------------------------+--------------------------------+ 3823 | 252 | :ref:`mozilla_projec | **NSS** | 3824 | | ts_nss_reference_fc_digestkey` | | 3825 +--------------------------------+--------------------------------+--------------------------------+ 3826 | | | FC_DigestKey - add the digest | 3827 | | | of a key to a multi-part | 3828 | | | digest operation. | 3829 +--------------------------------+--------------------------------+--------------------------------+ 3830 | | | | 3831 +--------------------------------+--------------------------------+--------------------------------+ 3832 | 253 | :ref:`mozilla_projects_ | **NSS** | 3833 | | nss_reference_fc_digestupdate` | | 3834 +--------------------------------+--------------------------------+--------------------------------+ 3835 | | | FC_DigestUpdate - process the | 3836 | | | next block of a multi-part | 3837 | | | digest operation. | 3838 +--------------------------------+--------------------------------+--------------------------------+ 3839 | | | | 3840 +--------------------------------+--------------------------------+--------------------------------+ 3841 | 254 | :ref:`mozilla_proj | **NSS** | 3842 | | ects_nss_reference_fc_encrypt` | | 3843 +--------------------------------+--------------------------------+--------------------------------+ 3844 | | | FC_Encrypt - Encrypt a block | 3845 | | | of data. | 3846 +--------------------------------+--------------------------------+--------------------------------+ 3847 | | | | 3848 +--------------------------------+--------------------------------+--------------------------------+ 3849 | 255 | :ref:`mozilla_projects_ | **NSS** | 3850 | | nss_reference_fc_encryptfinal` | | 3851 +--------------------------------+--------------------------------+--------------------------------+ 3852 | | | FC_EncryptFinal - finish a | 3853 | | | multi-part encryption | 3854 | | | operation. | 3855 +--------------------------------+--------------------------------+--------------------------------+ 3856 | | | | 3857 +--------------------------------+--------------------------------+--------------------------------+ 3858 | 256 | :ref:`mozilla_projects | **NSS** | 3859 | | _nss_reference_fc_encryptinit` | | 3860 +--------------------------------+--------------------------------+--------------------------------+ 3861 | | | FC_EncryptInit - initialize an | 3862 | | | encryption operation. | 3863 +--------------------------------+--------------------------------+--------------------------------+ 3864 | | | | 3865 +--------------------------------+--------------------------------+--------------------------------+ 3866 | 257 | :ref:`mozilla_projects_n | **NSS** | 3867 | | ss_reference_fc_encryptupdate` | | 3868 +--------------------------------+--------------------------------+--------------------------------+ 3869 | | | FC_EncryptUpdate - encrypt a | 3870 | | | block of a multi-part | 3871 | | | encryption operation. | 3872 +--------------------------------+--------------------------------+--------------------------------+ 3873 | | | | 3874 +--------------------------------+--------------------------------+--------------------------------+ 3875 | 258 | :ref:`mozilla_proje | **NSS** | 3876 | | cts_nss_reference_fc_finalize` | | 3877 +--------------------------------+--------------------------------+--------------------------------+ 3878 | | | FC_Finalize - indicate that an | 3879 | | | application is done with the | 3880 | | | PKCS #11 library. | 3881 +--------------------------------+--------------------------------+--------------------------------+ 3882 | | | | 3883 +--------------------------------+--------------------------------+--------------------------------+ 3884 | 259 | :ref:`mozilla_projects | **NSS** | 3885 | | _nss_reference_fc_findobjects` | | 3886 +--------------------------------+--------------------------------+--------------------------------+ 3887 | | | FC_FindObjects - Search for | 3888 | | | one or more objects | 3889 +--------------------------------+--------------------------------+--------------------------------+ 3890 | | | | 3891 +--------------------------------+--------------------------------+--------------------------------+ 3892 | 260 | :ref:`mozilla_projects_nss_ | **NSS** | 3893 | | reference_fc_findobjectsfinal` | | 3894 +--------------------------------+--------------------------------+--------------------------------+ 3895 | | | FC_FindObjectsFinal - | 3896 | | | terminate an object search. | 3897 +--------------------------------+--------------------------------+--------------------------------+ 3898 | | | | 3899 +--------------------------------+--------------------------------+--------------------------------+ 3900 | 261 | :ref:`mozilla_projects_nss | **NSS** | 3901 | | _reference_fc_findobjectsinit` | | 3902 +--------------------------------+--------------------------------+--------------------------------+ 3903 | | | FC_FindObjectsInit - | 3904 | | | initialize the parameters for | 3905 | | | an object search. | 3906 +--------------------------------+--------------------------------+--------------------------------+ 3907 | | | | 3908 +--------------------------------+--------------------------------+--------------------------------+ 3909 | 262 | :ref:`mozilla_projects | **NSS** | 3910 | | _nss_reference_fc_generatekey` | | 3911 +--------------------------------+--------------------------------+--------------------------------+ 3912 | | | FC_GenerateKey - generate a | 3913 | | | new key | 3914 +--------------------------------+--------------------------------+--------------------------------+ 3915 | | | | 3916 +--------------------------------+--------------------------------+--------------------------------+ 3917 | 263 | :ref:`mozilla_projects_nss | **NSS** | 3918 | | _reference_fc_generatekeypair` | | 3919 +--------------------------------+--------------------------------+--------------------------------+ 3920 | | | FC_GenerateKeyPair - generate | 3921 | | | a new public/private key pair | 3922 +--------------------------------+--------------------------------+--------------------------------+ 3923 | | | | 3924 +--------------------------------+--------------------------------+--------------------------------+ 3925 | 264 | :ref:`mozilla_projects_ns | **NSS** | 3926 | | s_reference_fc_generaterandom` | | 3927 +--------------------------------+--------------------------------+--------------------------------+ 3928 | | | FC_GenerateRandom - generate a | 3929 | | | random number. | 3930 +--------------------------------+--------------------------------+--------------------------------+ 3931 | | | | 3932 +--------------------------------+--------------------------------+--------------------------------+ 3933 | 265 | :ref:`mozilla_projects_nss_r | **NSS** | 3934 | | eference_fc_getattributevalue` | | 3935 +--------------------------------+--------------------------------+--------------------------------+ 3936 | | | FC_GetAttributeValue - get the | 3937 | | | value of attributes of an | 3938 | | | object. | 3939 +--------------------------------+--------------------------------+--------------------------------+ 3940 | | | | 3941 +--------------------------------+--------------------------------+--------------------------------+ 3942 | 266 | :ref:`mozilla_projects_nss | **NSS** | 3943 | | _reference_fc_getfunctionlist` | | 3944 +--------------------------------+--------------------------------+--------------------------------+ 3945 | | | FC_GetFunctionList - get a | 3946 | | | pointer to the list of | 3947 | | | function pointers in the FIPS | 3948 | | | mode of operation. | 3949 +--------------------------------+--------------------------------+--------------------------------+ 3950 | | | | 3951 +--------------------------------+--------------------------------+--------------------------------+ 3952 | 267 | :ref:`mozilla_projects_nss_r | **NSS** | 3953 | | eference_fc_getfunctionstatus` | | 3954 +--------------------------------+--------------------------------+--------------------------------+ 3955 | | | FC_GetFunctionStatus - get the | 3956 | | | status of a function running | 3957 | | | in parallel | 3958 +--------------------------------+--------------------------------+--------------------------------+ 3959 | | | | 3960 +--------------------------------+--------------------------------+--------------------------------+ 3961 | 268 | :ref:`mozilla_proj | **NSS** | 3962 | | ects_nss_reference_fc_getinfo` | | 3963 +--------------------------------+--------------------------------+--------------------------------+ 3964 | | | FC_GetInfo - return general | 3965 | | | information about the PKCS #11 | 3966 | | | library. | 3967 +--------------------------------+--------------------------------+--------------------------------+ 3968 | | | | 3969 +--------------------------------+--------------------------------+--------------------------------+ 3970 | 269 | :ref:`mozilla_projects_nss_ | **NSS** | 3971 | | reference_fc_getmechanisminfo` | | 3972 +--------------------------------+--------------------------------+--------------------------------+ 3973 | | | FC_GetMechanismInfo - get | 3974 | | | information on a particular | 3975 | | | mechanism. | 3976 +--------------------------------+--------------------------------+--------------------------------+ 3977 | | | | 3978 +--------------------------------+--------------------------------+--------------------------------+ 3979 | 270 | :ref:`mozilla_projects_nss_ | **NSS** | 3980 | | reference_fc_getmechanismlist` | | 3981 +--------------------------------+--------------------------------+--------------------------------+ 3982 | | | FC_GetMechanismList - get a | 3983 | | | list of mechanism types | 3984 | | | supported by a token. | 3985 +--------------------------------+--------------------------------+--------------------------------+ 3986 | | | | 3987 +--------------------------------+--------------------------------+--------------------------------+ 3988 | 271 | :ref:`mozilla_projects_n | **NSS** | 3989 | | ss_reference_fc_getobjectsize` | | 3990 +--------------------------------+--------------------------------+--------------------------------+ 3991 | | | FC_GetObjectSize - create a | 3992 | | | copy of an object. | 3993 +--------------------------------+--------------------------------+--------------------------------+ 3994 | | | | 3995 +--------------------------------+--------------------------------+--------------------------------+ 3996 | 272 | :ref:`mozilla_projects_nss_r | **NSS** | 3997 | | eference_fc_getoperationstate` | | 3998 +--------------------------------+--------------------------------+--------------------------------+ 3999 | | | FC_GetOperationState - get the | 4000 | | | cryptographic operation state | 4001 | | | of a session. | 4002 +--------------------------------+--------------------------------+--------------------------------+ 4003 | | | | 4004 +--------------------------------+--------------------------------+--------------------------------+ 4005 | 273 | :ref:`mozilla_projects_ns | **NSS** | 4006 | | s_reference_fc_getsessioninfo` | | 4007 +--------------------------------+--------------------------------+--------------------------------+ 4008 | | | FC_GetSessionInfo - obtain | 4009 | | | information about a session. | 4010 +--------------------------------+--------------------------------+--------------------------------+ 4011 | | | | 4012 +--------------------------------+--------------------------------+--------------------------------+ 4013 | 274 | :ref:`mozilla_projects | **NSS** | 4014 | | _nss_reference_fc_getslotinfo` | | 4015 +--------------------------------+--------------------------------+--------------------------------+ 4016 | | | FC_GetSlotInfo - get | 4017 | | | information about a particular | 4018 | | | slot in the system. | 4019 +--------------------------------+--------------------------------+--------------------------------+ 4020 | | | | 4021 +--------------------------------+--------------------------------+--------------------------------+ 4022 | 275 | :ref:`mozilla_projects | **NSS** | 4023 | | _nss_reference_fc_getslotlist` | | 4024 +--------------------------------+--------------------------------+--------------------------------+ 4025 | | | FC_GetSlotList - Obtain a list | 4026 | | | of slots in the system. | 4027 +--------------------------------+--------------------------------+--------------------------------+ 4028 | | | | 4029 +--------------------------------+--------------------------------+--------------------------------+ 4030 | 276 | :ref:`mozilla_projects_ | **NSS** | 4031 | | nss_reference_fc_gettokeninfo` | | 4032 +--------------------------------+--------------------------------+--------------------------------+ 4033 | | | FC_GetTokenInfo - obtain | 4034 | | | information about a particular | 4035 | | | token in the system. | 4036 +--------------------------------+--------------------------------+--------------------------------+ 4037 | | | | 4038 +--------------------------------+--------------------------------+--------------------------------+ 4039 | 277 | :ref:`mozilla_project | **NSS** | 4040 | | s_nss_reference_fc_initialize` | | 4041 +--------------------------------+--------------------------------+--------------------------------+ 4042 | | | FC_Initialize - initialize the | 4043 | | | PKCS #11 library. | 4044 +--------------------------------+--------------------------------+--------------------------------+ 4045 | | | | 4046 +--------------------------------+--------------------------------+--------------------------------+ 4047 | 278 | :ref:`mozilla_proj | **NSS** | 4048 | | ects_nss_reference_fc_initpin` | | 4049 +--------------------------------+--------------------------------+--------------------------------+ 4050 | | | ``FC_InitPIN()`` - Initialize | 4051 | | | the user's PIN. | 4052 +--------------------------------+--------------------------------+--------------------------------+ 4053 | | | | 4054 +--------------------------------+--------------------------------+--------------------------------+ 4055 | 279 | :ref:`mozilla_projec | **NSS** | 4056 | | ts_nss_reference_fc_inittoken` | | 4057 +--------------------------------+--------------------------------+--------------------------------+ 4058 | | | ``FC_InitToken()`` - | 4059 | | | initialize or re-initialize a | 4060 | | | token. | 4061 +--------------------------------+--------------------------------+--------------------------------+ 4062 | | | | 4063 +--------------------------------+--------------------------------+--------------------------------+ 4064 | 280 | :ref:`mozilla_pr | **NSS** | 4065 | | ojects_nss_reference_fc_login` | | 4066 +--------------------------------+--------------------------------+--------------------------------+ 4067 | | | ``FC_Login()`` - log a user | 4068 | | | into a token. | 4069 +--------------------------------+--------------------------------+--------------------------------+ 4070 | | | | 4071 +--------------------------------+--------------------------------+--------------------------------+ 4072 | 281 | :ref:`mozilla_pro | **NSS** | 4073 | | jects_nss_reference_fc_logout` | | 4074 +--------------------------------+--------------------------------+--------------------------------+ 4075 | | | FC_Logout - log a user out | 4076 | | | from a token. | 4077 +--------------------------------+--------------------------------+--------------------------------+ 4078 | | | | 4079 +--------------------------------+--------------------------------+--------------------------------+ 4080 | 282 | :ref:`mozilla_projects | **NSS** | 4081 | | _nss_reference_fc_opensession` | | 4082 +--------------------------------+--------------------------------+--------------------------------+ 4083 | | | FC_OpenSession - open a | 4084 | | | session between an application | 4085 | | | and a token. | 4086 +--------------------------------+--------------------------------+--------------------------------+ 4087 | | | | 4088 +--------------------------------+--------------------------------+--------------------------------+ 4089 | 283 | :ref:`mozilla_project | **NSS** | 4090 | | s_nss_reference_fc_seedrandom` | | 4091 +--------------------------------+--------------------------------+--------------------------------+ 4092 | | | ``FC_SeedRandom()`` - mix | 4093 | | | additional seed material into | 4094 | | | the random number generator. | 4095 +--------------------------------+--------------------------------+--------------------------------+ 4096 | | | | 4097 +--------------------------------+--------------------------------+--------------------------------+ 4098 | 284 | :ref:`mozilla_projects_nss_r | **NSS** | 4099 | | eference_fc_setattributevalue` | | 4100 +--------------------------------+--------------------------------+--------------------------------+ 4101 | | | FC_SetAttributeValue - set the | 4102 | | | values of attributes of an | 4103 | | | object. | 4104 +--------------------------------+--------------------------------+--------------------------------+ 4105 | | | | 4106 +--------------------------------+--------------------------------+--------------------------------+ 4107 | 285 | :ref:`mozilla_projects_nss_r | **NSS** | 4108 | | eference_fc_setoperationstate` | | 4109 +--------------------------------+--------------------------------+--------------------------------+ 4110 | | | FC_SetOperationState - restore | 4111 | | | the cryptographic operation | 4112 | | | state of a session. | 4113 +--------------------------------+--------------------------------+--------------------------------+ 4114 | | | | 4115 +--------------------------------+--------------------------------+--------------------------------+ 4116 | 286 | :ref:`mozilla_pro | **NSS** | 4117 | | jects_nss_reference_fc_setpin` | | 4118 +--------------------------------+--------------------------------+--------------------------------+ 4119 | | | FC_SetPIN - Modify the user's | 4120 | | | PIN. | 4121 +--------------------------------+--------------------------------+--------------------------------+ 4122 | | | | 4123 +--------------------------------+--------------------------------+--------------------------------+ 4124 | 287 | :ref:`mozilla_p | **NSS** | 4125 | | rojects_nss_reference_fc_sign` | | 4126 +--------------------------------+--------------------------------+--------------------------------+ 4127 | | | FC_Sign - sign a block of | 4128 | | | data. | 4129 +--------------------------------+--------------------------------+--------------------------------+ 4130 | | | | 4131 +--------------------------------+--------------------------------+--------------------------------+ 4132 | 288 | :ref:`mozilla_projects_nss_r | **NSS** | 4133 | | eference_fc_signencryptupdate` | | 4134 +--------------------------------+--------------------------------+--------------------------------+ 4135 | | | FC_SignEncryptUpdate - | 4136 | | | continue a multi-part signing | 4137 | | | and encryption operation | 4138 +--------------------------------+--------------------------------+--------------------------------+ 4139 | | | | 4140 +--------------------------------+--------------------------------+--------------------------------+ 4141 | 289 | :ref:`mozilla_projec | **NSS** | 4142 | | ts_nss_reference_fc_signfinal` | | 4143 +--------------------------------+--------------------------------+--------------------------------+ 4144 | | | FC_SignFinal - finish a | 4145 | | | multi-part signing operation. | 4146 +--------------------------------+--------------------------------+--------------------------------+ 4147 | | | | 4148 +--------------------------------+--------------------------------+--------------------------------+ 4149 | 290 | :ref:`mozilla_proje | **NSS** | 4150 | | cts_nss_reference_fc_signinit` | | 4151 +--------------------------------+--------------------------------+--------------------------------+ 4152 | | | FC_SignInit - initialize a | 4153 | | | signing operation. | 4154 +--------------------------------+--------------------------------+--------------------------------+ 4155 | | | | 4156 +--------------------------------+--------------------------------+--------------------------------+ 4157 | 291 | :ref:`mozilla_projects | **NSS** | 4158 | | _nss_reference_fc_signrecover` | | 4159 +--------------------------------+--------------------------------+--------------------------------+ 4160 | | | FC_SignRecover - Sign data in | 4161 | | | a single recoverable | 4162 | | | operation. | 4163 +--------------------------------+--------------------------------+--------------------------------+ 4164 | | | | 4165 +--------------------------------+--------------------------------+--------------------------------+ 4166 | 292 | :ref:`mozilla_projects_nss | **NSS** | 4167 | | _reference_fc_signrecoverinit` | | 4168 +--------------------------------+--------------------------------+--------------------------------+ 4169 | | | FC_SignRecoverInit - | 4170 | | | initialize a sign recover | 4171 | | | operation. | 4172 +--------------------------------+--------------------------------+--------------------------------+ 4173 | | | | 4174 +--------------------------------+--------------------------------+--------------------------------+ 4175 | 293 | :ref:`mozilla_project | **NSS** | 4176 | | s_nss_reference_fc_signupdate` | | 4177 +--------------------------------+--------------------------------+--------------------------------+ 4178 | | | FC_SignUpdate - process the | 4179 | | | next block of a multi-part | 4180 | | | signing operation. | 4181 +--------------------------------+--------------------------------+--------------------------------+ 4182 | | | | 4183 +--------------------------------+--------------------------------+--------------------------------+ 4184 | 294 | :ref:`mozilla_projec | **NSS** | 4185 | | ts_nss_reference_fc_unwrapkey` | | 4186 +--------------------------------+--------------------------------+--------------------------------+ 4187 | | | FC_UnwrapKey - unwrap a key | 4188 +--------------------------------+--------------------------------+--------------------------------+ 4189 | | | | 4190 +--------------------------------+--------------------------------+--------------------------------+ 4191 | 295 | :ref:`mozilla_pro | **NSS** | 4192 | | jects_nss_reference_fc_verify` | | 4193 +--------------------------------+--------------------------------+--------------------------------+ 4194 | | | FC_Verify - sign a block of | 4195 | | | data. | 4196 +--------------------------------+--------------------------------+--------------------------------+ 4197 | | | | 4198 +--------------------------------+--------------------------------+--------------------------------+ 4199 | 296 | :ref:`mozilla_projects | **NSS** | 4200 | | _nss_reference_fc_verifyfinal` | | 4201 +--------------------------------+--------------------------------+--------------------------------+ 4202 | | | FC_VerifyFinal - finish a | 4203 | | | multi-part verify operation. | 4204 +--------------------------------+--------------------------------+--------------------------------+ 4205 | | | | 4206 +--------------------------------+--------------------------------+--------------------------------+ 4207 | 297 | :ref:`mozilla_project | **NSS** | 4208 | | s_nss_reference_fc_verifyinit` | | 4209 +--------------------------------+--------------------------------+--------------------------------+ 4210 | | | FC_VerifyInit - initialize a | 4211 | | | verification operation. | 4212 +--------------------------------+--------------------------------+--------------------------------+ 4213 | | | | 4214 +--------------------------------+--------------------------------+--------------------------------+ 4215 | 298 | :ref:`mozilla_projects_n | **NSS** | 4216 | | ss_reference_fc_verifyrecover` | | 4217 +--------------------------------+--------------------------------+--------------------------------+ 4218 | | | FC_VerifyRecover - Verify data | 4219 | | | in a single recoverable | 4220 | | | operation. | 4221 +--------------------------------+--------------------------------+--------------------------------+ 4222 | | | | 4223 +--------------------------------+--------------------------------+--------------------------------+ 4224 | 299 | :ref:`mozilla_projects_nss_r | **NSS** | 4225 | | eference_fc_verifyrecoverinit` | | 4226 +--------------------------------+--------------------------------+--------------------------------+ 4227 | | | FC_VerifyRecoverInit - | 4228 | | | initialize a verification | 4229 | | | operation where data is | 4230 | | | recoverable. | 4231 +--------------------------------+--------------------------------+--------------------------------+ 4232 | | | | 4233 +--------------------------------+--------------------------------+--------------------------------+ 4234 | 300 | :ref:`mozilla_projects_ | **NSS** | 4235 | | nss_reference_fc_verifyupdate` | | 4236 +--------------------------------+--------------------------------+--------------------------------+ 4237 | | | FC_VerifyUpdate - process the | 4238 | | | next block of a multi-part | 4239 | | | verify operation. | 4240 +--------------------------------+--------------------------------+--------------------------------+ 4241 | | | | 4242 +--------------------------------+--------------------------------+--------------------------------+ 4243 | 301 | :ref:`mozilla_projects_nss_ | **NSS** | 4244 | | reference_fc_waitforslotevent` | | 4245 +--------------------------------+--------------------------------+--------------------------------+ 4246 | | | FC_WaitForSlotEvent - waits | 4247 | | | for a slot event, such as | 4248 | | | token insertion or token | 4249 | | | removal, to occur. | 4250 +--------------------------------+--------------------------------+--------------------------------+ 4251 | | | | 4252 +--------------------------------+--------------------------------+--------------------------------+ 4253 | 302 | :ref:`mozilla_proj | **NSS** | 4254 | | ects_nss_reference_fc_wrapkey` | | 4255 +--------------------------------+--------------------------------+--------------------------------+ 4256 | | | FC_WrapKey - wrap a key | 4257 +--------------------------------+--------------------------------+--------------------------------+ 4258 | | | | 4259 +--------------------------------+--------------------------------+--------------------------------+ 4260 | 303 | :ref:`mozilla_project | **NSS** | 4261 | | s_nss_reference_nsc_inittoken` | | 4262 +--------------------------------+--------------------------------+--------------------------------+ 4263 | | | ``NSC_InitToken()`` - | 4264 | | | initialize or re-initialize a | 4265 | | | token. | 4266 +--------------------------------+--------------------------------+--------------------------------+ 4267 | | | | 4268 +--------------------------------+--------------------------------+--------------------------------+ 4269 | 304 | :ref:`mozilla_pro | **NSS** | 4270 | | jects_nss_reference_nsc_login` | | 4271 +--------------------------------+--------------------------------+--------------------------------+ 4272 | | | ``NSC_Login()`` - log a user | 4273 | | | into a token. | 4274 +--------------------------------+--------------------------------+--------------------------------+ 4275 | | | | 4276 +--------------------------------+--------------------------------+--------------------------------+ 4277 | 305 | :ref:`mozilla_projects | | 4278 | | _nss_reference_nspr_functions` | | 4279 +--------------------------------+--------------------------------+--------------------------------+ 4280 | | | `NSPR <https://www. | 4281 | | | mozilla.org/projects/nspr/>`__ | 4282 | | | is a platform abstraction | 4283 | | | library that provides a | 4284 | | | cross-platform API to common | 4285 | | | OS services. NSS uses NSPR | 4286 | | | internally as the porting | 4287 | | | layer. However, a small | 4288 | | | number of NSPR functions are | 4289 | | | required for using the | 4290 | | | certificate verification and | 4291 | | | SSL functions in NSS. These | 4292 | | | NSPR functions are listed in | 4293 | | | this section. | 4294 +--------------------------------+--------------------------------+--------------------------------+ 4295 | | | | 4296 +--------------------------------+--------------------------------+--------------------------------+ 4297 | 306 | :re | **NSS** | 4298 | | f:`mozilla_projects_nss_refere | | 4299 | | nce_nss_certificate_functions` | | 4300 +--------------------------------+--------------------------------+--------------------------------+ 4301 | | | This chapter describes the | 4302 | | | functions and related types | 4303 | | | used to work with a | 4304 | | | certificate database such as | 4305 | | | the cert8.db database provided | 4306 | | | with NSS. This was converted | 4307 | | | from `"Chapter 5: Certificate | 4308 | | | Functions" <https://www.mo | 4309 | | | zilla.org/projects/security/pk | 4310 | | | i/nss/ref/ssl/sslcrt.html>`__. | 4311 +--------------------------------+--------------------------------+--------------------------------+ 4312 | | | | 4313 +--------------------------------+--------------------------------+--------------------------------+ 4314 | 307 | :r | **NSS** | 4315 | | ef:`mozilla_projects_nss_refer | | 4316 | | ence_nss_cryptographic_module` | | 4317 +--------------------------------+--------------------------------+--------------------------------+ 4318 | | | This chapter describes the | 4319 | | | data types and functions that | 4320 | | | one can use to perform | 4321 | | | cryptographic operations with | 4322 | | | the NSS cryptographic module. | 4323 | | | The NSS cryptographic module | 4324 | | | uses the industry standard | 4325 | | | `PKCS | 4326 | | | #11 <http://www.rsasecurity.co | 4327 | | | m/rsalabs/node.asp?id=2133>`__ | 4328 | | | v2.20 as its API with some | 4329 | | | extensions. Therefore, an | 4330 | | | application that supports PKCS | 4331 | | | #11 cryptographic tokens can | 4332 | | | be easily modified to use the | 4333 | | | NSS cryptographic module. | 4334 +--------------------------------+--------------------------------+--------------------------------+ 4335 | | | | 4336 +--------------------------------+--------------------------------+--------------------------------+ 4337 | 308 | :ref:`mozilla_projects_ns | **NSS** | 4338 | | s_reference_nss_cryptographic_ | | 4339 | | module_fips_mode_of_operation` | | 4340 +--------------------------------+--------------------------------+--------------------------------+ 4341 | | | These functions manage | 4342 | | | certificates and keys. | 4343 +--------------------------------+--------------------------------+--------------------------------+ 4344 | | | | 4345 +--------------------------------+--------------------------------+--------------------------------+ 4346 | 309 | :re | **NSS** | 4347 | | f:`mozilla_projects_nss_refere | | 4348 | | nce_nss_environment_variables` | | 4349 +--------------------------------+--------------------------------+--------------------------------+ 4350 | | | These environment variables | 4351 | | | affect the RUN TIME behavior | 4352 | | | of NSS shared libraries. There | 4353 | | | is a separate set of | 4354 | | | environment variables that | 4355 | | | affect how NSS is built, | 4356 | | | documented below. | 4357 +--------------------------------+--------------------------------+--------------------------------+ 4358 | | | | 4359 +--------------------------------+--------------------------------+--------------------------------+ 4360 | 310 | :ref:`mozilla_project | **NSS** | 4361 | | s_nss_reference_nss_functions` | | 4362 +--------------------------------+--------------------------------+--------------------------------+ 4363 | | | This page lists all exported | 4364 | | | functions in NSS 3.11.7 It was | 4365 | | | ported from | 4366 | | | `here <http://www-archive.mozi | 4367 | | | lla.org/projects/security/pki/ | 4368 | | | nss/ref/nssfunctions.html>`__. | 4369 +--------------------------------+--------------------------------+--------------------------------+ 4370 | | | | 4371 +--------------------------------+--------------------------------+--------------------------------+ 4372 | 311 | :ref:`mozilla_projects | | 4373 | | _nss_reference_nss_initialize` | | 4374 +--------------------------------+--------------------------------+--------------------------------+ 4375 | | | NSS_Initialize - initialize | 4376 | | | NSS. | 4377 +--------------------------------+--------------------------------+--------------------------------+ 4378 | | | | 4379 +--------------------------------+--------------------------------+--------------------------------+ 4380 | 312 | :ref:`mozilla_projects_ns | **NSS** | 4381 | | s_reference_nss_key_functions` | | 4382 +--------------------------------+--------------------------------+--------------------------------+ 4383 | | | This chapter describes two | 4384 | | | functions used to manipulate | 4385 | | | private keys and key databases | 4386 | | | such as the key3.db database | 4387 | | | provided with NSS. This was | 4388 | | | converted from `"Chapter 6: | 4389 | | | Key | 4390 | | | Functions" <https://develop | 4391 | | | er.mozilla.org/en-US/docs/NSS/ | 4392 | | | SSL_functions/sslkey.html>`__. | 4393 +--------------------------------+--------------------------------+--------------------------------+ 4394 | | | | 4395 +--------------------------------+--------------------------------+--------------------------------+ 4396 | 313 | :ref:`mozilla_projects_nss_r | | 4397 | | eference_nss_tools_:_certutil` | | 4398 +--------------------------------+--------------------------------+--------------------------------+ 4399 | | | Name | 4400 | | | certutil — Manage keys and | 4401 | | | certificate in both NSS | 4402 | | | databases and other NSS tokens | 4403 | | | Synopsis | 4404 | | | certutil [options] | 4405 | | | [[arguments]] | 4406 | | | Description | 4407 | | | The Certificate Database | 4408 | | | Tool, certutil, is a | 4409 | | | command-line utility | 4410 | | | that can create and modify | 4411 | | | certificate and key databases. | 4412 | | | It can specifically list, | 4413 | | | generate, modify, or delete | 4414 | | | certificates, create or | 4415 | | | change the password, | 4416 | | | generate new public and | 4417 | | | private key pairs, | 4418 | | | display the contents of the | 4419 | | | key database, or delete key | 4420 | | | pairs within the key | 4421 | | | database. | 4422 | | | Certificate issuance, part | 4423 | | | of the key and certificate | 4424 | | | management process, requires | 4425 | | | that | 4426 | | | keys and certificates be | 4427 | | | created in the key database. | 4428 | | | This document discusses | 4429 | | | certificate | 4430 | | | and key database | 4431 | | | management. For information on | 4432 | | | the security module database | 4433 | | | management, | 4434 | | | see the modutil manpage. | 4435 | | | Options and Arguments | 4436 | | | Running certutil always | 4437 | | | requires one and only one | 4438 | | | command option to | 4439 | | | specify the type of | 4440 | | | certificate operation. Each | 4441 | | | option may take arguments, | 4442 | | | anywhere from none to | 4443 | | | multiple arguments. The | 4444 | | | command option -H will list | 4445 | | | all the command options | 4446 | | | available and their relevant | 4447 | | | arguments. | 4448 | | | Command Options | 4449 | | | -A | 4450 | | | Add an existing | 4451 | | | certificate to a certificate | 4452 | | | database. | 4453 | | | The certificate | 4454 | | | database should already exist; | 4455 | | | if one is | 4456 | | | not present, this | 4457 | | | command option will initialize | 4458 | | | one by default. | 4459 | | | -B | 4460 | | | Run a series of | 4461 | | | commands from the specified | 4462 | | | batch file. | 4463 | | | This requires the -i | 4464 | | | argument. | 4465 | | | -C | 4466 | | | Create a new binary | 4467 | | | certificate file from a binary | 4468 | | | certificate request | 4469 | | | file. Use the -i argument to | 4470 | | | specify | 4471 | | | the certificate | 4472 | | | request file. If this argument | 4473 | | | is not | 4474 | | | used, certutil | 4475 | | | prompts for a filename. | 4476 | | | -D | 4477 | | | Delete a certificate | 4478 | | | from the certificate database. | 4479 +--------------------------------+--------------------------------+--------------------------------+ 4480 | | | | 4481 +--------------------------------+--------------------------------+--------------------------------+ 4482 | 314 | :ref:`mozilla_projects_nss_ | | 4483 | | reference_nss_tools_:_cmsutil` | | 4484 +--------------------------------+--------------------------------+--------------------------------+ 4485 | | | Name | 4486 +--------------------------------+--------------------------------+--------------------------------+ 4487 | | | | 4488 +--------------------------------+--------------------------------+--------------------------------+ 4489 | 315 | :ref:`mozilla_projects_nss_ | **Reference** | 4490 | | reference_nss_tools_:_crlutil` | | 4491 +--------------------------------+--------------------------------+--------------------------------+ 4492 | | | Name | 4493 +--------------------------------+--------------------------------+--------------------------------+ 4494 | | | | 4495 +--------------------------------+--------------------------------+--------------------------------+ 4496 | 316 | :ref:`mozilla_projects_nss_ | **Mozilla, NSS, Reference, | 4497 | | reference_nss_tools_:_modutil` | Security, Tools, Utilities, | 4498 | | | modutil** | 4499 +--------------------------------+--------------------------------+--------------------------------+ 4500 | | | Name | 4501 +--------------------------------+--------------------------------+--------------------------------+ 4502 | | | | 4503 +--------------------------------+--------------------------------+--------------------------------+ 4504 | 317 | :ref:`mozilla_projects_nss_r | | 4505 | | eference_nss_tools_:_pk12util` | | 4506 +--------------------------------+--------------------------------+--------------------------------+ 4507 | | | NSS tools : pk12util | 4508 +--------------------------------+--------------------------------+--------------------------------+ 4509 | | | | 4510 +--------------------------------+--------------------------------+--------------------------------+ 4511 | 318 | :ref:`mozilla_projects_nss | | 4512 | | _reference_nss_tools_:_ssltab` | | 4513 +--------------------------------+--------------------------------+--------------------------------+ 4514 | | | Name | 4515 +--------------------------------+--------------------------------+--------------------------------+ 4516 | | | | 4517 +--------------------------------+--------------------------------+--------------------------------+ 4518 | 319 | :ref:`mozilla_projects_nss | | 4519 | | _reference_nss_tools_:_ssltap` | | 4520 +--------------------------------+--------------------------------+--------------------------------+ 4521 | | | Name | 4522 +--------------------------------+--------------------------------+--------------------------------+ 4523 | | | | 4524 +--------------------------------+--------------------------------+--------------------------------+ 4525 | 320 | :ref:`mozilla_projects_nss_r | | 4526 | | eference_nss_tools_:_vfychain` | | 4527 +--------------------------------+--------------------------------+--------------------------------+ 4528 | | | Name | 4529 +--------------------------------+--------------------------------+--------------------------------+ 4530 | | | | 4531 +--------------------------------+--------------------------------+--------------------------------+ 4532 | 321 | :ref:`mozilla_projects_nss_ | | 4533 | | reference_nss_tools_:_vfyserv` | | 4534 +--------------------------------+--------------------------------+--------------------------------+ 4535 | | | Name | 4536 +--------------------------------+--------------------------------+--------------------------------+ 4537 | | | | 4538 +--------------------------------+--------------------------------+--------------------------------+ 4539 | 322 | :ref:`mozilla_pro | | 4540 | | jects_nss_reference_nss_tools` | | 4541 +--------------------------------+--------------------------------+--------------------------------+ 4542 | | | certutil | 4543 | | | :ref:`mozilla_projects_nss_r | 4544 | | | eference_nss_tools_:_certutil` | 4545 +--------------------------------+--------------------------------+--------------------------------+ 4546 | | | | 4547 +--------------------------------+--------------------------------+--------------------------------+ 4548 | 323 | :ref:`mozilla_projec | | 4549 | | ts_nss_reference_troubleshoot` | | 4550 +--------------------------------+--------------------------------+--------------------------------+ 4551 | | | Newsgroup: | 4552 | | | `mozilla.dev.tech | 4553 | | | .crypto <nntp://news.mozilla.o | 4554 | | | rg/mozilla.dev.tech.crypto>`__ | 4555 +--------------------------------+--------------------------------+--------------------------------+ 4556 | | | | 4557 +--------------------------------+--------------------------------+--------------------------------+ 4558 | 324 | :ref:`mozil | | 4559 | | la_projects_nss_release_notes` | | 4560 +--------------------------------+--------------------------------+--------------------------------+ 4561 | | | This page lists release notes | 4562 | | | for older versions of NSS. | 4563 | | | See :ref:`mozi | 4564 | | | lla_projects_nss_nss_releases` | 4565 | | | :ref:`mozi | 4566 | | | lla_projects_nss_nss_releases` | 4567 | | | for recent release notes. The | 4568 | | | links below are provided for | 4569 | | | historical information. | 4570 +--------------------------------+--------------------------------+--------------------------------+ 4571 | | | | 4572 +--------------------------------+--------------------------------+--------------------------------+ 4573 | 325 | :ref:`mozilla_ | **NSS** | 4574 | | projects_nss_s_mime_functions` | | 4575 +--------------------------------+--------------------------------+--------------------------------+ 4576 | | | The public functions listed | 4577 | | | here perform S/MIME operations | 4578 | | | using the `S/MIME | 4579 | | | Toolkit <http://w | 4580 | | | ww-archive.mozilla.org/project | 4581 | | | s/security/pki/nss/smime/>`__. | 4582 +--------------------------------+--------------------------------+--------------------------------+ 4583 | | | | 4584 +--------------------------------+--------------------------------+--------------------------------+ 4585 | 326 | :ref:`mozil | **NSS** | 4586 | | la_projects_nss_ssl_functions` | | 4587 +--------------------------------+--------------------------------+--------------------------------+ 4588 | | | The public functions listed | 4589 | | | here are used to configure | 4590 | | | sockets for communication via | 4591 | | | the SSL and TLS protocols. In | 4592 | | | addition to the functions | 4593 | | | listed here, applications that | 4594 | | | support SSL use some of the | 4595 | | | Certificate functions, Crypto | 4596 | | | functions, and Utility | 4597 | | | functions described below on | 4598 | | | this page. | 4599 +--------------------------------+--------------------------------+--------------------------------+ 4600 | | | | 4601 +--------------------------------+--------------------------------+--------------------------------+ 4602 | 327 | :ref:`mozilla_pro | | 4603 | | jects_nss_ssl_functions_gtstd` | | 4604 +--------------------------------+--------------------------------+--------------------------------+ 4605 | | | This chapter describes how to | 4606 | | | set up your environment, | 4607 | | | including certificate and key | 4608 | | | databases. | 4609 +--------------------------------+--------------------------------+--------------------------------+ 4610 | | | | 4611 +--------------------------------+--------------------------------+--------------------------------+ 4612 | 328 | :ref:`mozilla_projects_nss_ss | **NSS** | 4613 | | l_functions_old_ssl_reference` | | 4614 +--------------------------------+--------------------------------+--------------------------------+ 4615 | | | *New | 4616 | | | sgroup:*\ `mozilla.dev.tech.cr | 4617 | | | ypto <news://news.mozilla.org/ | 4618 | | | mozilla.dev.tech.crypto>`__\ * | 4619 | | | Writer: Sean Cotter | 4620 | | | Manager: Wan-Teh Chang* | 4621 +--------------------------------+--------------------------------+--------------------------------+ 4622 | | | | 4623 +--------------------------------+--------------------------------+--------------------------------+ 4624 | 329 | :ref:`mozilla_pro | | 4625 | | jects_nss_ssl_functions_pkfnc` | | 4626 +--------------------------------+--------------------------------+--------------------------------+ 4627 | | | | 4628 +--------------------------------+--------------------------------+--------------------------------+ 4629 | | | | 4630 +--------------------------------+--------------------------------+--------------------------------+ 4631 | 330 | :ref:`mozilla_proj | | 4632 | | ects_nss_ssl_functions_sslcrt` | | 4633 +--------------------------------+--------------------------------+--------------------------------+ 4634 | | | | 4635 +--------------------------------+--------------------------------+--------------------------------+ 4636 | | | | 4637 +--------------------------------+--------------------------------+--------------------------------+ 4638 | 331 | :ref:`mozilla_proj | | 4639 | | ects_nss_ssl_functions_sslerr` | | 4640 +--------------------------------+--------------------------------+--------------------------------+ 4641 | | | | 4642 +--------------------------------+--------------------------------+--------------------------------+ 4643 | | | | 4644 +--------------------------------+--------------------------------+--------------------------------+ 4645 | 332 | :ref:`mozilla_proj | | 4646 | | ects_nss_ssl_functions_sslfnc` | | 4647 +--------------------------------+--------------------------------+--------------------------------+ 4648 | | | | 4649 +--------------------------------+--------------------------------+--------------------------------+ 4650 | | | | 4651 +--------------------------------+--------------------------------+--------------------------------+ 4652 | 333 | :ref:`mozilla_projec | | 4653 | | ts_nss_ssl_functions_sslintro` | | 4654 +--------------------------------+--------------------------------+--------------------------------+ 4655 | | | SSL and related APIs allow | 4656 | | | compliant applications to | 4657 | | | configure sockets for | 4658 | | | authenticated, tamper-proof, | 4659 | | | and encrypted communications. | 4660 | | | This chapter introduces some | 4661 | | | of the basic SSL functions. | 4662 | | | `Chapter 2, "Getting Started | 4663 | | | With | 4664 | | | SSL" <gtstd.html#1005439>`__ | 4665 | | | illustrates their use in | 4666 | | | sample client and server | 4667 | | | applications. | 4668 +--------------------------------+--------------------------------+--------------------------------+ 4669 | | | | 4670 +--------------------------------+--------------------------------+--------------------------------+ 4671 | 334 | :ref:`mozilla_proj | | 4672 | | ects_nss_ssl_functions_sslkey` | | 4673 +--------------------------------+--------------------------------+--------------------------------+ 4674 | | | | 4675 +--------------------------------+--------------------------------+--------------------------------+ 4676 | | | | 4677 +--------------------------------+--------------------------------+--------------------------------+ 4678 | 335 | :ref:`mozilla_proj | | 4679 | | ects_nss_ssl_functions_ssltyp` | | 4680 +--------------------------------+--------------------------------+--------------------------------+ 4681 | | | | 4682 +--------------------------------+--------------------------------+--------------------------------+ 4683 | | | | 4684 +--------------------------------+--------------------------------+--------------------------------+ 4685 | 336 | :ref:`mozilla_projects_n | **NSS** | 4686 | | ss_tls_cipher_suite_discovery` | | 4687 +--------------------------------+--------------------------------+--------------------------------+ 4688 | | | In order to communicate | 4689 | | | securely, an TLS client and | 4690 | | | TLS server must agree on the | 4691 | | | cryptographic algorithms and | 4692 | | | keys that they will both use | 4693 | | | on the secured connection. | 4694 | | | They must agree on these | 4695 | | | items: | 4696 +--------------------------------+--------------------------------+--------------------------------+ 4697 | | | | 4698 +--------------------------------+--------------------------------+--------------------------------+ 4699 | 337 | :re | **NSS** | 4700 | | f:`mozilla_projects_nss_tools` | | 4701 +--------------------------------+--------------------------------+--------------------------------+ 4702 | | | Newsgroup: | 4703 | | | `mozilla.dev.tech | 4704 | | | .crypto <news://news.mozilla.o | 4705 | | | rg/mozilla.dev.tech.crypto>`__ | 4706 +--------------------------------+--------------------------------+--------------------------------+ 4707 | | | | 4708 +--------------------------------+--------------------------------+--------------------------------+ 4709 | 338 | :ref:`mozill | | 4710 | | a_projects_nss_tools_certutil` | | 4711 +--------------------------------+--------------------------------+--------------------------------+ 4712 | | | Name | 4713 | | | certutil — Manage keys and | 4714 | | | certificate in the NSS | 4715 | | | database. | 4716 | | | Synopsis | 4717 | | | certutil [options] | 4718 | | | `arguments <arguments>`__ | 4719 | | | Description | 4720 | | | The Certificate Database | 4721 | | | Tool, certutil, is a | 4722 | | | command-line utility that | 4723 | | | can create and modify | 4724 | | | certificate and key database | 4725 | | | files. It can also | 4726 | | | list, generate, modify, or | 4727 | | | delete certificates within the | 4728 | | | database, create | 4729 | | | or change the password, | 4730 | | | generate new public and | 4731 | | | private key pairs, display | 4732 | | | the contents of the key | 4733 | | | database, or delete key pairs | 4734 | | | within the key | 4735 | | | database. | 4736 | | | The key and certificate | 4737 | | | management process generally | 4738 | | | begins with creating | 4739 | | | keys in the key database, | 4740 | | | then generating and managing | 4741 | | | certificates in the | 4742 | | | certificate database. This | 4743 | | | document discusses certificate | 4744 | | | and key database | 4745 | | | management. For information | 4746 | | | security module database | 4747 | | | management, see the | 4748 | | | modutil manpages. | 4749 | | | Options and Arguments | 4750 | | | Running certutil always | 4751 | | | requires one (and only one) | 4752 | | | option to specify the | 4753 | | | type of certificate | 4754 | | | operation. Each option may | 4755 | | | take arguments, anywhere | 4756 | | | from none to multiple | 4757 | | | arguments. Run the command | 4758 | | | option and -H to see the | 4759 | | | arguments available for | 4760 | | | each command option. | 4761 | | | Options | 4762 | | | Options specify an action | 4763 | | | and are uppercase. | 4764 | | | -A | 4765 | | | Add an existing | 4766 | | | certificate to a certificate | 4767 | | | database. The | 4768 | | | certificate | 4769 | | | database should already exist; | 4770 | | | if one is not present, | 4771 | | | this option will | 4772 | | | initialize one by default. | 4773 | | | -B | 4774 | | | Run a series of | 4775 | | | commands from the specified | 4776 | | | batch file. This | 4777 | | | requires the -i | 4778 | | | argument. | 4779 | | | -C | 4780 | | | Create a new binary | 4781 | | | certificate file from a binary | 4782 | | | certificate | 4783 | | | request file. Use | 4784 | | | the -i argument to specify the | 4785 | | | certificate | 4786 | | | request file. If | 4787 | | | this argument is not used, | 4788 | | | certutil prompts for a | 4789 | | | filename. | 4790 | | | -D | 4791 | | | Delete a | 4792 | | | certificate from the | 4793 | | | certificate database. | 4794 | | | -E | 4795 | | | Add an email | 4796 | | | certificate to the certificate | 4797 | | | database. | 4798 | | | -F | 4799 | | | Delete a private | 4800 | | | key from a key database. | 4801 | | | Specify the key to | 4802 | | | delete with the -n | 4803 | | | argument. Specify the database | 4804 | | | from which to | 4805 | | | delete the key with | 4806 | | | the -d argument. Use the -k | 4807 | | | argument to | 4808 | | | specify explicitly | 4809 | | | whether to delete a DSA, RSA, | 4810 | | | or ECC key. If | 4811 | | | you don't use the | 4812 | | | -k argument, the option looks | 4813 | | | for an RSA key | 4814 | | | matching the | 4815 | | | specified nickname. | 4816 | | | When you delete | 4817 | | | keys, be sure to also remove | 4818 | | | any certificates | 4819 | | | associated with | 4820 | | | those keys from the | 4821 | | | certificate database, by using | 4822 | | | -D. Some smart | 4823 | | | cards (for example, the | 4824 | | | Litronic card) do not let | 4825 | | | you remove a public | 4826 | | | key you have generated. In | 4827 | | | such a case, only | 4828 | | | the private key is | 4829 | | | deleted from the key pair. You | 4830 | | | can display the | 4831 | | | public key with the | 4832 | | | command certutil -K -h | 4833 | | | tokenname. | 4834 | | | -G | 4835 | | | Generate a new | 4836 | | | public and private key pair | 4837 | | | within a key database. | 4838 | | | The key database | 4839 | | | should already exist; if one | 4840 | | | is not present, this | 4841 | | | option will | 4842 | | | initialize one by default. | 4843 | | | Some smart cards (for | 4844 | | | example, the | 4845 | | | Litronic card) can store only | 4846 | | | one key pair. If you | 4847 | | | create a new key | 4848 | | | pair for such a card, the | 4849 | | | previous pair is | 4850 | | | overwritten. | 4851 | | | -H | 4852 | | | Display a list of | 4853 | | | the options and arguments used | 4854 | | | by the | 4855 | | | Certificate | 4856 | | | Database Tool. | 4857 | | | -K | 4858 | | | List the key ID of | 4859 | | | keys in the key database. A | 4860 | | | key ID is the | 4861 | | | modulus of the RSA | 4862 | | | key or the publicValue of the | 4863 | | | DSA key. IDs are | 4864 | | | displayed in | 4865 | | | hexadecimal ("0x" is not | 4866 | | | shown). | 4867 | | | -L | 4868 | | | List all the | 4869 | | | certificates, or display | 4870 | | | information about a named | 4871 | | | certificate, in a | 4872 | | | certificate database. Use the | 4873 | | | -h tokenname | 4874 | | | argument to specify | 4875 | | | the certificate database on a | 4876 | | | particular | 4877 | | | hardware or | 4878 | | | software token. | 4879 | | | -M | 4880 | | | Modify a | 4881 | | | certificate's trust attributes | 4882 | | | using the values of the -t | 4883 | | | argument. | 4884 | | | -N | 4885 | | | Create new | 4886 | | | certificate and key databases. | 4887 | | | -O | 4888 | | | Print the | 4889 | | | certificate chain. | 4890 | | | -R | 4891 | | | Create a | 4892 | | | certificate request file that | 4893 | | | can be submitted to a | 4894 | | | Certificate | 4895 | | | Authority (CA) for processing | 4896 | | | into a finished | 4897 | | | certificate. Output | 4898 | | | defaults to standard out | 4899 | | | unless you use -o | 4900 | | | output-file | 4901 | | | argument. Use the -a argument | 4902 | | | to specify ASCII output. | 4903 | | | -S | 4904 | | | Create an | 4905 | | | individual certificate and add | 4906 | | | it to a certificate | 4907 | | | database. | 4908 | | | -T | 4909 | | | Reset the key | 4910 | | | database or token. | 4911 | | | -U | 4912 | | | List all available | 4913 | | | modules or print a single | 4914 | | | named module. | 4915 | | | -V | 4916 | | | Check the validity | 4917 | | | of a certificate and its | 4918 | | | attributes. | 4919 | | | -W | 4920 | | | Change the password | 4921 | | | to a key database. | 4922 | | | --merge | 4923 | | | Merge a source | 4924 | | | database into the target | 4925 | | | database. This is used to | 4926 | | | merge legacy NSS | 4927 | | | databases (cert8.db and | 4928 | | | key3.db) into the newer | 4929 | | | SQLite databases | 4930 | | | (cert9.db and key4.db). | 4931 | | | --upgrade-merge | 4932 | | | Upgrade an old | 4933 | | | database and merge it into a | 4934 | | | new database. This is | 4935 | | | used to migrate | 4936 | | | legacy NSS databases (cert8.db | 4937 | | | and key3.db) into | 4938 | | | the newer SQLite | 4939 | | | databases (cert9.db and | 4940 | | | key4.db). | 4941 | | | Arguments | 4942 | | | Option arguments modify an | 4943 | | | action and are lowercase. | 4944 | | | -a | 4945 | | | Use ASCII format or | 4946 | | | allow the use of ASCII format | 4947 | | | for input or | 4948 | | | output. This | 4949 | | | formatting follows RFC 1113. | 4950 | | | For certificate | 4951 | | | requests, ASCII | 4952 | | | output defaults to standard | 4953 | | | output unless | 4954 | | | redirected. | 4955 | | | -b validity-time | 4956 | | | Specify a time at | 4957 | | | which a certificate is | 4958 | | | required to be valid. Use | 4959 | | | when checking | 4960 | | | certificate validity with the | 4961 | | | -V option. The format | 4962 | | | of the | 4963 | | | validity-time argument is | 4964 | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | 4965 | | | which allows | 4966 | | | offsets to be set relative to | 4967 | | | the validity end time. | 4968 | | | Specifying seconds | 4969 | | | (SS) is optional. When | 4970 | | | specifying an explicit | 4971 | | | time, use a Z at | 4972 | | | the end of the term, | 4973 | | | YYMMDDHHMMSSZ, to close it. | 4974 | | | When specifying an | 4975 | | | offset time, use | 4976 | | | YYMMDDHHMMSS+HHMM or | 4977 | | | YYMMDDHHMMSS-HHMM | 4978 | | | for adding or subtracting | 4979 | | | time, respectively. | 4980 | | | If this option is | 4981 | | | not used, the validity check | 4982 | | | defaults to the | 4983 | | | current system | 4984 | | | time. | 4985 | | | -c issuer | 4986 | | | Identify the | 4987 | | | certificate of the CA from | 4988 | | | which a new certificate | 4989 | | | will derive its | 4990 | | | authenticity. Use the exact | 4991 | | | nickname or alias of | 4992 | | | the CA certificate, | 4993 | | | or use the CA's email address. | 4994 | | | Bracket the | 4995 | | | issuer string with | 4996 | | | quotation marks if it contains | 4997 | | | spaces. | 4998 | | | -d [sql:]directory | 4999 | | | Specify the | 5000 | | | database directory containing | 5001 | | | the certificate and key | 5002 | | | database files. | 5003 | | | certutil supports | 5004 | | | two types of databases: the | 5005 | | | legacy security | 5006 | | | databases | 5007 | | | (cert8.db, key3.db, and | 5008 | | | secmod.db) and new SQLite | 5009 | | | databases | 5010 | | | (cert9.db, key4.db, and | 5011 | | | pkcs11.txt). If the prefix | 5012 | | | sql: | 5013 | | | is not used, then | 5014 | | | the tool assumes that the | 5015 | | | given databases are in | 5016 | | | the old format. | 5017 | | | -e | 5018 | | | Check a | 5019 | | | certificate's signature during | 5020 | | | the process of validating a | 5021 | | | certificate. | 5022 | | | -f password-file | 5023 | | | Specify a file that | 5024 | | | will automatically supply the | 5025 | | | password to | 5026 | | | include in a | 5027 | | | certificate or to access a | 5028 | | | certificate database. This | 5029 | | | is a plain-text | 5030 | | | file containing one password. | 5031 | | | Be sure to prevent | 5032 | | | unauthorized access | 5033 | | | to this file. | 5034 | | | -g keysize | 5035 | | | Set a key size to | 5036 | | | use when generating new public | 5037 | | | and private key | 5038 | | | pairs. The minimum | 5039 | | | is 512 bits and the maximum is | 5040 | | | 8192 bits. The | 5041 | | | default is 1024 | 5042 | | | bits. Any size between the | 5043 | | | minimum and maximum is | 5044 | | | allowed. | 5045 | | | -h tokenname | 5046 | | | Specify the name of | 5047 | | | a token to use or act on. | 5048 | | | Unless specified | 5049 | | | otherwise the | 5050 | | | default token is an internal | 5051 | | | slot (specifically, | 5052 | | | internal slot 2). | 5053 | | | This slot can also be | 5054 | | | explicitly named with the | 5055 | | | string "internal". | 5056 | | | An internal slots is a virtual | 5057 | | | slot maintained | 5058 | | | in software, rather | 5059 | | | than a hardware device. | 5060 | | | Internal slot 2 is | 5061 | | | used by key and | 5062 | | | certificate services. Internal | 5063 | | | slot 1 is used by | 5064 | | | cryptographic | 5065 | | | services. | 5066 | | | -i input_file | 5067 | | | Pass an input file | 5068 | | | to the command. Depending on | 5069 | | | the command | 5070 | | | option, an input | 5071 | | | file can be a specific | 5072 | | | certificate, a certificate | 5073 | | | request file, or a | 5074 | | | batch file of commands. | 5075 | | | -k rsa|dsa|ec|all | 5076 | | | Specify the type of | 5077 | | | a key. The valid options are | 5078 | | | RSA, DSA, ECC, or | 5079 | | | all. The default | 5080 | | | value is rsa. Specifying the | 5081 | | | type of key can | 5082 | | | avoid mistakes | 5083 | | | caused by duplicate nicknames. | 5084 | | | -k key-type-or-id | 5085 | | | Specify the type or | 5086 | | | specific ID of a key. Giving a | 5087 | | | key type | 5088 | | | generates a new key | 5089 | | | pair; giving the ID of an | 5090 | | | existing key reuses | 5091 | | | that key pair | 5092 | | | (which is required to renew | 5093 | | | certificates). | 5094 | | | -l | 5095 | | | Display detailed | 5096 | | | information when validating a | 5097 | | | certificate with | 5098 | | | the -V option. | 5099 | | | -m serial-number | 5100 | | | Assign a unique | 5101 | | | serial number to a certificate | 5102 | | | being created. This | 5103 | | | operation should be | 5104 | | | performed by a CA. The default | 5105 | | | serial number | 5106 | | | is 0 (zero). Serial | 5107 | | | numbers are limited to | 5108 | | | integers. | 5109 | | | -n nickname | 5110 | | | Specify the | 5111 | | | nickname of a certificate or | 5112 | | | key to list, create, add | 5113 | | | to a database, | 5114 | | | modify, or validate. Bracket | 5115 | | | the nickname string | 5116 | | | with quotation | 5117 | | | marks if it contains spaces. | 5118 | | | -o output-file | 5119 | | | Specify the output | 5120 | | | file name for new certificates | 5121 | | | or binary | 5122 | | | certificate | 5123 | | | requests. Bracket the | 5124 | | | output-file string with | 5125 | | | quotation marks if | 5126 | | | it contains spaces. If this | 5127 | | | argument is not | 5128 | | | used the output | 5129 | | | destination defaults to | 5130 | | | standard output. | 5131 | | | -P dbPrefix | 5132 | | | Specify the prefix | 5133 | | | used on the certificate and | 5134 | | | key database file. | 5135 | | | This option is | 5136 | | | provided as a special case. | 5137 | | | Changing the names of | 5138 | | | the certificate and | 5139 | | | key databases is not | 5140 | | | recommended. | 5141 | | | -p phone | 5142 | | | Specify a contact | 5143 | | | telephone number to include in | 5144 | | | new certificates | 5145 | | | or certificate | 5146 | | | requests. Bracket this string | 5147 | | | with quotation marks | 5148 | | | if it contains | 5149 | | | spaces. | 5150 | | | -q pqgfile | 5151 | | | Read an alternate | 5152 | | | PQG value from the specified | 5153 | | | file when | 5154 | | | generating DSA key | 5155 | | | pairs. If this argument is not | 5156 | | | used, certutil | 5157 | | | generates its own | 5158 | | | PQG value. PQG files are | 5159 | | | created with a separate | 5160 | | | DSA utility. | 5161 | | | -q curve-name | 5162 | | | Set the elliptic | 5163 | | | curve name to use when | 5164 | | | generating ECC key pairs. | 5165 | | | A complete list of | 5166 | | | ECC curves is given in the | 5167 | | | help (-H). | 5168 | | | -r | 5169 | | | Display a | 5170 | | | certificate's binary DER | 5171 | | | encoding when listing | 5172 | | | information about | 5173 | | | that certificate with the -L | 5174 | | | option. | 5175 | | | -s subject | 5176 | | | Identify a | 5177 | | | particular certificate owner | 5178 | | | for new certificates or | 5179 | | | certificate | 5180 | | | requests. Bracket this string | 5181 | | | with quotation marks if | 5182 | | | it contains spaces. | 5183 | | | The subject identification | 5184 | | | format follows RFC | 5185 | | | #1485. | 5186 | | | -t trustargs | 5187 | | | Specify the trust | 5188 | | | attributes to modify in an | 5189 | | | existing certificate | 5190 | | | or to apply to a | 5191 | | | certificate when creating it | 5192 | | | or adding it to a | 5193 | | | database. There are | 5194 | | | three available trust | 5195 | | | categories for each | 5196 | | | certificate, | 5197 | | | expressed in the order SSL, | 5198 | | | email, object signing for | 5199 | | | each trust setting. | 5200 | | | In each category position, use | 5201 | | | none, any, or | 5202 | | | all of the | 5203 | | | attribute codes: | 5204 | | | o p - Valid peer | 5205 | | | o P - Trusted | 5206 | | | peer (implies p) | 5207 | | | o c - Valid CA | 5208 | | | o T - Trusted CA | 5209 | | | to issue client certificates | 5210 | | | (implies c) | 5211 | | | o C - Trusted CA | 5212 | | | to issue server certificates | 5213 | | | (SSL only) | 5214 | | | (implies c) | 5215 | | | o u - | 5216 | | | Certificate can be used for | 5217 | | | authentication or signing | 5218 | | | o w - Send | 5219 | | | warning (use with other | 5220 | | | attributes to include a | 5221 | | | warning when | 5222 | | | the certificate is used in | 5223 | | | that context) | 5224 | | | The attribute codes | 5225 | | | for the categories are | 5226 | | | separated by commas, | 5227 | | | and the entire set | 5228 | | | of attributes enclosed by | 5229 | | | quotation marks. For | 5230 | | | example: | 5231 | | | -t "TCu,Cu,Tuw" | 5232 | | | Use the -L option | 5233 | | | to see a list of the current | 5234 | | | certificates and | 5235 | | | trust attributes in | 5236 | | | a certificate database. | 5237 | | | -u certusage | 5238 | | | Specify a usage | 5239 | | | context to apply when | 5240 | | | validating a certificate | 5241 | | | with the -V option. | 5242 | | | The contexts are | 5243 | | | the following: | 5244 | | | o C (as an SSL | 5245 | | | client) | 5246 | | | o V (as an SSL | 5247 | | | server) | 5248 | | | o S (as an email | 5249 | | | signer) | 5250 | | | o R (as an email | 5251 | | | recipient) | 5252 | | | o O (as an OCSP | 5253 | | | status responder) | 5254 | | | o J (as an | 5255 | | | object signer) | 5256 | | | -v valid-months | 5257 | | | Set the number of | 5258 | | | months a new certificate will | 5259 | | | be valid. The | 5260 | | | validity period | 5261 | | | begins at the current system | 5262 | | | time unless an offset | 5263 | | | is added or | 5264 | | | subtracted with the -w option. | 5265 | | | If this argument is not | 5266 | | | used, the default | 5267 | | | validity period is three | 5268 | | | months. When this | 5269 | | | argument is used, | 5270 | | | the default three-month period | 5271 | | | is automatically | 5272 | | | added to any value | 5273 | | | given in the valid-month | 5274 | | | argument. For example, | 5275 | | | using this option | 5276 | | | to set a value of 3 would | 5277 | | | cause 3 to be added to | 5278 | | | the three-month | 5279 | | | default, creating a validity | 5280 | | | period of six months. | 5281 | | | You can use | 5282 | | | negative values to reduce the | 5283 | | | default period. For | 5284 | | | example, setting a | 5285 | | | value of -2 would subtract 2 | 5286 | | | from the default | 5287 | | | and create a | 5288 | | | validity period of one month. | 5289 | | | -w offset-months | 5290 | | | Set an offset from | 5291 | | | the current system time, in | 5292 | | | months, for the | 5293 | | | beginning of a | 5294 | | | certificate's validity period. | 5295 | | | Use when creating | 5296 | | | the certificate or | 5297 | | | adding it to a database. | 5298 | | | Express the offset in | 5299 | | | integers, using a | 5300 | | | minus sign (-) to indicate a | 5301 | | | negative offset. If | 5302 | | | this argument is | 5303 | | | not used, the validity period | 5304 | | | begins at the | 5305 | | | current system | 5306 | | | time. The length of the | 5307 | | | validity period is set with | 5308 | | | the -v argument. | 5309 | | | -X | 5310 | | | Force the key and | 5311 | | | certificate database to open | 5312 | | | in read-write mode. | 5313 | | | This is used with | 5314 | | | the -U and -L command options. | 5315 | | | -x | 5316 | | | Use certutil to | 5317 | | | generate the signature for a | 5318 | | | certificate being | 5319 | | | created or added to | 5320 | | | a database, rather than | 5321 | | | obtaining a signature | 5322 | | | from a separate CA. | 5323 | | | -y exp | 5324 | | | Set an alternate | 5325 | | | exponent value to use in | 5326 | | | generating a new RSA | 5327 | | | public key for the | 5328 | | | database, instead of the | 5329 | | | default value of | 5330 | | | 65537. The | 5331 | | | available alternate values are | 5332 | | | 3 and 17. | 5333 | | | -z noise-file | 5334 | | | Read a seed value | 5335 | | | from the specified file to | 5336 | | | generate a new | 5337 | | | private and public | 5338 | | | key pair. This argument makes | 5339 | | | it possible to | 5340 | | | use | 5341 | | | hardware-generated seed values | 5342 | | | or manually create a value | 5343 | | | from | 5344 | | | the keyboard. The | 5345 | | | minimum file size is 20 bytes. | 5346 | | | -0 SSO_password | 5347 | | | Set a site security | 5348 | | | officer password on a token. | 5349 | | | -1 \| --keyUsage | 5350 | | | keyword,keyword | 5351 | | | Set a Netscape | 5352 | | | Certificate Type Extension in | 5353 | | | the certificate. | 5354 | | | There are several | 5355 | | | available keywords: | 5356 | | | o digital | 5357 | | | signature | 5358 | | | o nonRepudiation | 5359 | | | | 5360 | | | o keyEncipherment | 5361 | | | | 5362 | | | o dataEncipherment | 5363 | | | o keyAgreement | 5364 | | | o certSigning | 5365 | | | o crlSigning | 5366 | | | o critical | 5367 | | | -2 | 5368 | | | Add a basic | 5369 | | | constraint extension to a | 5370 | | | certificate that is being | 5371 | | | created or added to | 5372 | | | a database. This extension | 5373 | | | supports the | 5374 | | | certificate chain | 5375 | | | verification process. certutil | 5376 | | | prompts for the | 5377 | | | certificate | 5378 | | | constraint extension to | 5379 | | | select. | 5380 | | | X.509 certificate | 5381 | | | extensions are described in | 5382 | | | RFC 5280. | 5383 | | | -3 | 5384 | | | Add an authority | 5385 | | | key ID extension to a | 5386 | | | certificate that is being | 5387 | | | created or added to | 5388 | | | a database. This extension | 5389 | | | supports the | 5390 | | | identification of a | 5391 | | | particular certificate, from | 5392 | | | among multiple | 5393 | | | certificates | 5394 | | | associated with one subject | 5395 | | | name, as the correct | 5396 | | | issuer of a | 5397 | | | certificate. The Certificate | 5398 | | | Database Tool will prompt | 5399 | | | you to select the | 5400 | | | authority key ID extension. | 5401 | | | X.509 certificate | 5402 | | | extensions are described in | 5403 | | | RFC 5280. | 5404 | | | -4 | 5405 | | | Add a CRL | 5406 | | | distribution point extension | 5407 | | | to a certificate that is | 5408 | | | being created or | 5409 | | | added to a database. This | 5410 | | | extension identifies | 5411 | | | the URL of a | 5412 | | | certificate's associated | 5413 | | | certificate revocation list | 5414 | | | (CRL). certutil | 5415 | | | prompts for the URL. | 5416 | | | X.509 certificate | 5417 | | | extensions are described in | 5418 | | | RFC 5280. | 5419 | | | -5 \| --nsCertType | 5420 | | | keyword,keyword | 5421 | | | Add a Netscape | 5422 | | | certificate type extension to | 5423 | | | a certificate that is | 5424 | | | being created or | 5425 | | | added to the database. There | 5426 | | | are several | 5427 | | | available keywords: | 5428 | | | o sslClient | 5429 | | | o sslServer | 5430 | | | o smime | 5431 | | | o objectSigning | 5432 | | | o sslCA | 5433 | | | o smimeCA | 5434 | | | | 5435 | | | o objectSigningCA | 5436 | | | o critical | 5437 | | | X.509 certificate | 5438 | | | extensions are described in | 5439 | | | RFC 5280. | 5440 | | | -6 \| --extKeyUsage | 5441 | | | keyword,keyword | 5442 | | | Add an extended key | 5443 | | | usage extension to a | 5444 | | | certificate that is being | 5445 | | | created or added to | 5446 | | | the database. Several keywords | 5447 | | | are available: | 5448 | | | o serverAuth | 5449 | | | o clientAuth | 5450 | | | o codeSigning | 5451 | | | | 5452 | | | o emailProtection | 5453 | | | o timeStamp | 5454 | | | o ocspResponder | 5455 | | | o stepUp | 5456 | | | o critical | 5457 | | | X.509 certificate | 5458 | | | extensions are described in | 5459 | | | RFC 5280. | 5460 | | | -7 emailAddrs | 5461 | | | Add a | 5462 | | | comma-separated list of email | 5463 | | | addresses to the subject | 5464 | | | alternative name | 5465 | | | extension of a certificate or | 5466 | | | certificate request | 5467 | | | that is being | 5468 | | | created or added to the | 5469 | | | database. Subject | 5470 | | | alternative name | 5471 | | | extensions are described in | 5472 | | | Section 4.2.1.7 of | 5473 | | | RFC 3280. | 5474 | | | -8 dns-names | 5475 | | | Add a | 5476 | | | comma-separated list of DNS | 5477 | | | names to the subject | 5478 | | | alternative | 5479 | | | name extension of a | 5480 | | | certificate or certificate | 5481 | | | request that is | 5482 | | | being created or | 5483 | | | added to the database. Subject | 5484 | | | alternative name | 5485 | | | extensions are | 5486 | | | described in Section 4.2.1.7 | 5487 | | | of RFC 3280. | 5488 | | | --extAIA | 5489 | | | Add the Authority | 5490 | | | Information Access extension | 5491 | | | to the certificate. | 5492 | | | X.509 certificate | 5493 | | | extensions are described in | 5494 | | | RFC 5280. | 5495 | | | --extSIA | 5496 | | | Add the Subject | 5497 | | | Information Access extension | 5498 | | | to the certificate. | 5499 | | | X.509 certificate | 5500 | | | extensions are described in | 5501 | | | RFC 5280. | 5502 | | | --extCP | 5503 | | | Add the Certificate | 5504 | | | Policies extension to the | 5505 | | | certificate. X.509 | 5506 | | | certificate | 5507 | | | extensions are described in | 5508 | | | RFC 5280. | 5509 | | | --extPM | 5510 | | | Add the Policy | 5511 | | | Mappings extension to the | 5512 | | | certificate. X.509 | 5513 | | | certificate | 5514 | | | extensions are described in | 5515 | | | RFC 5280. | 5516 | | | --extPC | 5517 | | | Add the Policy | 5518 | | | Constraints extension to the | 5519 | | | certificate. X.509 | 5520 | | | certificate | 5521 | | | extensions are described in | 5522 | | | RFC 5280. | 5523 | | | --extIA | 5524 | | | Add the Inhibit Any | 5525 | | | Policy Access extension to the | 5526 | | | certificate. | 5527 | | | X.509 certificate | 5528 | | | extensions are described in | 5529 | | | RFC 5280. | 5530 | | | --extSKID | 5531 | | | Add the Subject Key | 5532 | | | ID extension to the | 5533 | | | certificate. X.509 | 5534 | | | certificate | 5535 | | | extensions are described in | 5536 | | | RFC 5280. | 5537 | | | --source-dir certdir | 5538 | | | Identify the | 5539 | | | certificate database directory | 5540 | | | to upgrade. | 5541 | | | --source-prefix certdir | 5542 | | | Give the prefix of | 5543 | | | the certificate and key | 5544 | | | databases to upgrade. | 5545 | | | --upgrade-id uniqueID | 5546 | | | Give the unique ID | 5547 | | | of the database to upgrade. | 5548 | | | --upgrade-token-name name | 5549 | | | Set the name of the | 5550 | | | token to use while it is being | 5551 | | | upgraded. | 5552 | | | -@ pwfile | 5553 | | | Give the name of a | 5554 | | | password file to use for the | 5555 | | | database being | 5556 | | | upgraded. | 5557 | | | Usage and Examples | 5558 | | | Most of the command options | 5559 | | | in the examples listed here | 5560 | | | have more | 5561 | | | arguments available. The | 5562 | | | arguments included in these | 5563 | | | examples are the most | 5564 | | | common ones or are used to | 5565 | | | illustrate a specific | 5566 | | | scenario. Use the -H | 5567 | | | option to show the complete | 5568 | | | list of arguments for each | 5569 | | | command option. | 5570 | | | Creating New Security | 5571 | | | Databases | 5572 | | | Certificates, keys, and | 5573 | | | security modules related to | 5574 | | | managing certificates | 5575 | | | are stored in three related | 5576 | | | databases: | 5577 | | | o cert8.db or cert9.db | 5578 | | | o key3.db or key4.db | 5579 | | | o secmod.db or pkcs11.txt | 5580 | | | These databases must be | 5581 | | | created before certificates or | 5582 | | | keys can be | 5583 | | | generated. | 5584 | | | certutil -N -d | 5585 | | | [sql:]directory | 5586 | | | Creating a Certificate | 5587 | | | Request | 5588 | | | A certificate request | 5589 | | | contains most or all of the | 5590 | | | information that is used | 5591 | | | to generate the final | 5592 | | | certificate. This request is | 5593 | | | submitted separately to | 5594 | | | a certificate authority and | 5595 | | | is then approved by some | 5596 | | | mechanism | 5597 | | | (automatically or by human | 5598 | | | review). Once the request is | 5599 | | | approved, then the | 5600 | | | certificate is generated. | 5601 | | | $ certutil -R -k | 5602 | | | key-type-or-id [-q | 5603 | | | pqgfile|curve-name] -g | 5604 | | | key-size -s subject [-h | 5605 | | | tokenname] -d [sql:]directory | 5606 | | | [-p phone] [-o output-file] | 5607 | | | [-a] | 5608 | | | The -R command options | 5609 | | | requires four arguments: | 5610 | | | o -k to specify either | 5611 | | | the key type to generate or, | 5612 | | | when renewing a | 5613 | | | certificate, the | 5614 | | | existing key pair to use | 5615 | | | o -g to set the keysize | 5616 | | | of the key to generate | 5617 | | | o -s to set the subject | 5618 | | | name of the certificate | 5619 | | | o -d to give the security | 5620 | | | database directory | 5621 | | | The new certificate request | 5622 | | | can be output in ASCII format | 5623 | | | (-a) or can be | 5624 | | | written to a specified file | 5625 | | | (-o). | 5626 | | | For example: | 5627 | | | $ certutil -R -k ec -q | 5628 | | | nistb409 -g 512 -s "CN=John | 5629 | | | Smith,O=Example | 5630 | | | Corp,L=Mountain | 5631 | | | View,ST=California,C=US" -d | 5632 | | | sql:/home/my/sharednssdb -p | 5633 | | | 650-555-0123 -a -o cert.cer | 5634 | | | Generating key. This may | 5635 | | | take a few moments... | 5636 | | | Certificate request generated | 5637 | | | by Netscape | 5638 | | | Phone: 650-555-0123 | 5639 | | | Common Name: John Smith | 5640 | | | Email: (not ed) | 5641 | | | Organization: Example Corp | 5642 | | | State: California | 5643 | | | Country: US | 5644 | | | -----BEGIN NEW CERTIFICATE | 5645 | | | REQUEST----- | 5646 | | | MIIB | 5647 | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | 5648 | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | 5649 | | | MBQG | 5650 | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | 5651 | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | 5652 | | | EQYD | 5653 | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | 5654 | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | 5655 | | | KmHn | 5656 | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | 5657 | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | 5658 | | | CzdU | 5659 | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | 5660 | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | 5661 | | | qmty | 5662 | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | 5663 | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | 5664 | | | 1hP9Gg== | 5665 | | | -----END NEW CERTIFICATE | 5666 | | | REQUEST----- | 5667 | | | Creating a Certificate | 5668 | | | A valid certificate must be | 5669 | | | issued by a trusted CA. This | 5670 | | | can be done by | 5671 | | | specifying a CA certificate | 5672 | | | (-c) that is stored in the | 5673 | | | certificate | 5674 | | | database. If a CA key pair | 5675 | | | is not available, you can | 5676 | | | create a self-signed | 5677 | | | certificate using the -x | 5678 | | | argument with the -S command | 5679 | | | option. | 5680 | | | $ certutil -S -k rsa|dsa|ec | 5681 | | | -n certname -s subject [-c | 5682 | | | issuer \|-x] -t trustargs -d | 5683 | | | [sql:]directory [-m | 5684 | | | serial-number] [-v | 5685 | | | valid-months] [-w | 5686 | | | offset-months] [-p phone] [-1] | 5687 | | | [-2] [-3] [-4] [-5 keyword] | 5688 | | | [-6 keyword] [-7 emailAddress] | 5689 | | | [-8 dns-names] [--extAIA] | 5690 | | | [--extSIA] [--extCP] [--extPM] | 5691 | | | [--extPC] [--extIA] | 5692 | | | [--extSKID] | 5693 | | | The series of numbers and | 5694 | | | --ext\* options set | 5695 | | | certificate extensions that | 5696 | | | can be added to the | 5697 | | | certificate when it is | 5698 | | | generated by the CA. | 5699 | | | For example, this creates a | 5700 | | | self-signed certificate: | 5701 | | | $ certutil -S -s "CN=Example | 5702 | | | CA" -n my-ca-cert -x -t | 5703 | | | "C,C,C" -1 -2 -5 -m 3650 | 5704 | | | From there, new | 5705 | | | certificates can reference the | 5706 | | | self-signed certificate: | 5707 | | | $ certutil -S -s "CN=My | 5708 | | | Server Cert" -n my-server-cert | 5709 | | | -c "my-ca-cert" -t "u,u,u" -1 | 5710 | | | -5 -6 -8 -m 730 | 5711 | | | Generating a Certificate | 5712 | | | from a Certificate Request | 5713 | | | When a certificate request | 5714 | | | is created, a certificate can | 5715 | | | be generated by | 5716 | | | using the request and then | 5717 | | | referencing a certificate | 5718 | | | authority signing | 5719 | | | certificate (the issuer | 5720 | | | specified in the -c argument). | 5721 | | | The issuing | 5722 | | | certificate must be in the | 5723 | | | certificate database in the | 5724 | | | specified | 5725 | | | directory. | 5726 | | | certutil -C -c issuer -i | 5727 | | | cert-request-file -o | 5728 | | | output-file [-m serial-number] | 5729 | | | [-v valid-months] [-w | 5730 | | | offset-months] -d | 5731 | | | [sql:]directory [-1] [-2] [-3] | 5732 | | | [-4] [-5 keyword] [-6 keyword] | 5733 | | | [-7 emailAddress] [-8 | 5734 | | | dns-names] | 5735 | | | For example: | 5736 | | | $ certutil -C -c "my-ca-cert" | 5737 | | | -i /home/certs/cert.req -o | 5738 | | | cert.cer -m 010 -v 12 -w 1 -d | 5739 | | | sql:/home/my/sharednssdb -1 | 5740 | | | n | 5741 | | | onRepudiation,dataEncipherment | 5742 | | | -5 sslClient -6 clientAuth -7 | 5743 | | | jsmith@example.com | 5744 | | | Generating Key Pairs | 5745 | | | Key pairs are generated | 5746 | | | automatically with a | 5747 | | | certificate request or | 5748 | | | certificate, but they can | 5749 | | | also be generated | 5750 | | | independently using the -G | 5751 | | | command option. | 5752 | | | certutil -G -d | 5753 | | | [sql:]directory \| -h | 5754 | | | tokenname -k key-type -g | 5755 | | | key-size [-y exponent-value] | 5756 | | | -q pqgfile|curve-name | 5757 | | | For example: | 5758 | | | $ certutil -G -h lunasa -k ec | 5759 | | | -g 256 -q sect193r2 | 5760 | | | Listing Certificates | 5761 | | | The -L command option lists | 5762 | | | all of the certificates listed | 5763 | | | in the | 5764 | | | certificate database. The | 5765 | | | path to the directory (-d) is | 5766 | | | required. | 5767 | | | $ certutil -L -d | 5768 | | | sql:/home/my/sharednssdb | 5769 | | | Certificate | 5770 | | | Nickname | 5771 | | | | 5772 | | | Trust Attributes | 5773 | | | | 5774 | | | | 5775 | | | | 5776 | | | SSL,S/MIME,JAR/XPI | 5777 | | | CA Administrator of Instance | 5778 | | | pki-ca1's Example Domain | 5779 | | | ID u,u,u | 5780 | | | TPS Administrator's Example | 5781 | | | Domain | 5782 | | | ID | 5783 | | | u,u,u | 5784 | | | Google Internet | 5785 | | | Authority | 5786 | | | | 5787 | | | ,, | 5788 | | | Certificate Authority - | 5789 | | | Example | 5790 | | | Domain | 5791 | | | CT,C,C | 5792 | | | Using additional arguments | 5793 | | | with -L can return and print | 5794 | | | the information | 5795 | | | for a single, specific | 5796 | | | certificate. For example, the | 5797 | | | -n argument passes | 5798 | | | the certificate name, while | 5799 | | | the -a argument prints the | 5800 | | | certificate in | 5801 | | | ASCII format: | 5802 | | | $ certutil -L -d | 5803 | | | sql:/home/my/sharednssdb -a -n | 5804 | | | "Certificate Authority - | 5805 | | | Example Domain" | 5806 | | | -----BEGIN CERTIFICATE----- | 5807 | | | MIID | 5808 | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | 5809 | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | 5810 | | | cGxl | 5811 | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | 5812 | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | 5813 | | | MDQy | 5814 | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | 5815 | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | 5816 | | | b21h | 5817 | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | 5818 | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | 5819 | | | hvcN | 5820 | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | 5821 | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | 5822 | | | Tmri | 5823 | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | 5824 | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | 5825 | | | Rnel | 5826 | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | 5827 | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | 5828 | | | udeW | 5829 | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | 5830 | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | 5831 | | | bP4i | 5832 | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | 5833 | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | 5834 | | | 3V0A | 5835 | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | 5836 | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | 5837 | | | qDAf | 5838 | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | 5839 | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | 5840 | | | AQH/ | 5841 | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | 5842 | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | 5843 | | | rRcw | 5844 | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | 5845 | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | 5846 | | | Lmxv | 5847 | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | 5848 | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | 5849 | | | L3XO | 5850 | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | 5851 | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | 5852 | | | lRxd | 5853 | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | 5854 | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | 5855 | | | JBDx | 5856 | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | 5857 | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | 5858 | | | bfu/ | 5859 | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | 5860 | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | 5861 | | | U0uj | 5862 | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | 5863 | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | 5864 | | | nI7q5n1USM3eWQlVXw== | 5865 | | | -----END CERTIFICATE----- | 5866 | | | Listing Keys | 5867 | | | Keys are the original | 5868 | | | material used to encrypt | 5869 | | | certificate data. The keys | 5870 | | | generated for certificates | 5871 | | | are stored separately, in the | 5872 | | | key database. | 5873 | | | To list all keys in the | 5874 | | | database, use the -K command | 5875 | | | option and the | 5876 | | | (required) -d argument to | 5877 | | | give the path to the | 5878 | | | directory. | 5879 | | | $ certutil -K -d | 5880 | | | sql:/home/my/sharednssdb | 5881 | | | certutil: Checking token "NSS | 5882 | | | Certificate DB" in slot "NSS | 5883 | | | User Private Key and | 5884 | | | Certificate | 5885 | | | Services " | 5886 | | | < 0> rsa | 5887 | | | 455a6673bde9 | 5888 | | | 375c2887ec8bf8016b3f9f35861d | 5889 | | | Thawte Freemail Member's | 5890 | | | Thawte Consulting (Pty) Ltd. | 5891 | | | ID | 5892 | | | < 1> rsa | 5893 | | | 40defeeb522a | 5894 | | | de11090eacebaaf1196a172127df | 5895 | | | Example Domain Administrator | 5896 | | | Cert | 5897 | | | < 2> rsa | 5898 | | | 1d0b06f44f6c | 5899 | | | 03842f7d4f4a1dc78b3bcd1b85a5 | 5900 | | | John Smith user cert | 5901 | | | There are ways to narrow | 5902 | | | the keys listed in the search | 5903 | | | results: | 5904 | | | o To return a specific | 5905 | | | key, use the -n name argument | 5906 | | | with the name of | 5907 | | | the key. | 5908 | | | o If there are multiple | 5909 | | | security devices loaded, then | 5910 | | | the -h tokenname | 5911 | | | argument can search a | 5912 | | | specific token or all tokens. | 5913 | | | o If there are multiple | 5914 | | | key types available, then the | 5915 | | | -k key-type | 5916 | | | argument can search a | 5917 | | | specific type of key, like | 5918 | | | RSA, DSA, or ECC. | 5919 | | | Listing Security Modules | 5920 | | | The devices that can be | 5921 | | | used to store certificates -- | 5922 | | | both internal | 5923 | | | databases and external | 5924 | | | devices like smart cards -- | 5925 | | | are recognized and used | 5926 | | | by loading security | 5927 | | | modules. The -U command option | 5928 | | | lists all of the | 5929 | | | security modules listed in | 5930 | | | the secmod.db database. The | 5931 | | | path to the | 5932 | | | directory (-d) is required. | 5933 | | | $ certutil -U -d | 5934 | | | sql:/home/my/sharednssdb | 5935 | | | slot: NSS User Private | 5936 | | | Key and Certificate Services | 5937 | | | token: NSS Certificate DB | 5938 | | | slot: NSS Internal | 5939 | | | Cryptographic Services | 5940 | | | token: NSS Generic Crypto | 5941 | | | Services | 5942 | | | Adding Certificates to the | 5943 | | | Database | 5944 | | | Existing certificates or | 5945 | | | certificate requests can be | 5946 | | | added manually to the | 5947 | | | certificate database, even | 5948 | | | if they were generated | 5949 | | | elsewhere. This uses the | 5950 | | | -A command option. | 5951 | | | certutil -A -n certname -t | 5952 | | | trustargs -d [sql:]directory | 5953 | | | [-a] [-i input-file] | 5954 | | | For example: | 5955 | | | $ certutil -A -n "CN=My SSL | 5956 | | | Certificate" -t "u,u,u" -d | 5957 | | | sql:/home/my/sharednssdb -i | 5958 | | | /home/example-certs/cert.cer | 5959 | | | A related command option, | 5960 | | | -E, is used specifically to | 5961 | | | add email | 5962 | | | certificates to the | 5963 | | | certificate database. The -E | 5964 | | | command has the same | 5965 | | | arguments as the -A | 5966 | | | command. The trust arguments | 5967 | | | for certificates have the | 5968 | | | format | 5969 | | | SSL,S/MIME,Code-signing, so | 5970 | | | the middle trust settings | 5971 | | | relate most | 5972 | | | to email certificates | 5973 | | | (though the others can be | 5974 | | | set). For example: | 5975 | | | $ certutil -E -n "CN=John | 5976 | | | Smith Email Cert" -t ",Pu," -d | 5977 | | | sql:/home/my/sharednssdb -i | 5978 | | | /home/example-certs/email.cer | 5979 | | | Deleting Certificates to | 5980 | | | the Database | 5981 | | | Certificates can be deleted | 5982 | | | from a database using the -D | 5983 | | | option. The only | 5984 | | | required options are to | 5985 | | | give the security database | 5986 | | | directory and to | 5987 | | | identify the certificate | 5988 | | | nickname. | 5989 | | | certutil -D -d | 5990 | | | [sql:]directory -n "nickname" | 5991 | | | For example: | 5992 | | | $ certutil -D -d | 5993 | | | sql:/home/my/sharednssdb -n | 5994 | | | "my-ssl-cert" | 5995 | | | Validating Certificates | 5996 | | | A certificate contains an | 5997 | | | expiration date in itself, and | 5998 | | | expired | 5999 | | | certificates are easily | 6000 | | | rejected. However, | 6001 | | | certificates can also be | 6002 | | | revoked before they hit | 6003 | | | their expiration date. | 6004 | | | Checking whether a | 6005 | | | certificate has been | 6006 | | | revoked requires validating | 6007 | | | the certificate. | 6008 | | | Validation can also be used | 6009 | | | to ensure that the certificate | 6010 | | | is only used | 6011 | | | for the purposes it was | 6012 | | | initially issued for. | 6013 | | | Validation is carried out by | 6014 | | | the -V command option. | 6015 | | | certutil -V -n | 6016 | | | certificate-name [-b time] | 6017 | | | [-e] [-u cert-usage] -d | 6018 | | | [sql:]directory | 6019 | | | For example, to validate an | 6020 | | | email certificate: | 6021 | | | $ certutil -V -n "John | 6022 | | | Smith's Email Cert" -e -u S,R | 6023 | | | -d sql:/home/my/sharednssdb | 6024 | | | Modifying Certificate Trust | 6025 | | | Settings | 6026 | | | The trust settings (which | 6027 | | | relate to the operations that | 6028 | | | a certificate is | 6029 | | | allowed to be used for) can | 6030 | | | be changed after a certificate | 6031 | | | is created or | 6032 | | | added to the database. This | 6033 | | | is especially useful for CA | 6034 | | | certificates, but | 6035 | | | it can be performed for any | 6036 | | | type of certificate. | 6037 | | | certutil -M -n | 6038 | | | certificate-name -t trust-args | 6039 | | | -d [sql:]directory | 6040 | | | For example: | 6041 | | | $ certutil -M -n "My CA | 6042 | | | Certificate" -d | 6043 | | | sql:/home/my/sharednssdb -t | 6044 | | | "CTu,CTu,CTu" | 6045 | | | Printing the Certificate | 6046 | | | Chain | 6047 | | | Certificates can be issued | 6048 | | | in chains because every | 6049 | | | certificate authority | 6050 | | | itself has a certificate; | 6051 | | | when a CA issues a | 6052 | | | certificate, it essentially | 6053 | | | stamps that certificate | 6054 | | | with its own fingerprint. The | 6055 | | | -O prints the full | 6056 | | | chain of a certificate, | 6057 | | | going from the initial CA (the | 6058 | | | root CA) through | 6059 | | | ever intermediary CA to the | 6060 | | | actual certificate. For | 6061 | | | example, for an email | 6062 | | | certificate with two CAs in | 6063 | | | the chain: | 6064 | | | $ certutil -d | 6065 | | | sql:/home/my/sharednssdb -O -n | 6066 | | | "jsmith@example.com" | 6067 | | | "Builtin Object Token:Thawte | 6068 | | | Personal Freemail CA" | 6069 | | | [E=personal | 6070 | | | -freemail@thawte.com,CN=Thawte | 6071 | | | Personal Freemail | 6072 | | | CA,OU=Certification Services | 6073 | | | Division,O=Thawte | 6074 | | | Consulting,L=Cape | 6075 | | | Town,ST=Western Cape,C=ZA] | 6076 | | | "Thawte Personal Freemail | 6077 | | | Issuing CA - Thawte | 6078 | | | Consulting" [CN=Thawte | 6079 | | | Personal Freemail Issuing | 6080 | | | CA,O=Thawte Consulting (Pty) | 6081 | | | Ltd.,C=ZA] | 6082 | | | "(null)" | 6083 | | | [ | 6084 | | | E=jsmith@example.com,CN=Thawte | 6085 | | | Freemail Member] | 6086 | | | Resetting a Token | 6087 | | | The device which stores | 6088 | | | certificates -- both external | 6089 | | | hardware devices and | 6090 | | | internal software databases | 6091 | | | -- can be blanked and reused. | 6092 | | | This operation | 6093 | | | is performed on the device | 6094 | | | which stores the data, not | 6095 | | | directly on the | 6096 | | | security databases, so the | 6097 | | | location must be referenced | 6098 | | | through the token | 6099 | | | name (-h) as well as any | 6100 | | | directory path. If there is no | 6101 | | | external token | 6102 | | | used, the default value is | 6103 | | | internal. | 6104 | | | certutil -T -d | 6105 | | | [sql:]directory -h token-name | 6106 | | | -0 security-officer-password | 6107 | | | Many networks have | 6108 | | | dedicated personnel who handle | 6109 | | | changes to security | 6110 | | | tokens (the security | 6111 | | | officer). This person must | 6112 | | | supply the password to | 6113 | | | access the specified token. | 6114 | | | For example: | 6115 | | | $ certutil -T -d | 6116 | | | sql:/home/my/sharednssdb -h | 6117 | | | nethsm -0 secret | 6118 | | | Upgrading or Merging the | 6119 | | | Security Databases | 6120 | | | Many networks or | 6121 | | | applications may be using | 6122 | | | older BerkeleyDB versions of | 6123 | | | the certificate database | 6124 | | | (cert8.db). Databases can be | 6125 | | | upgraded to the new | 6126 | | | SQLite version of the | 6127 | | | database (cert9.db) using the | 6128 | | | --upgrade-merge | 6129 | | | command option or existing | 6130 | | | databases can be merged with | 6131 | | | the new cert9.db | 6132 | | | databases using the | 6133 | | | ---merge command. | 6134 | | | The --upgrade-merge command | 6135 | | | must give information about | 6136 | | | the original | 6137 | | | database and then use the | 6138 | | | standard arguments (like -d) | 6139 | | | to give the | 6140 | | | information about the new | 6141 | | | databases. The command also | 6142 | | | requires information | 6143 | | | that the tool uses for the | 6144 | | | process to upgrade and write | 6145 | | | over the original | 6146 | | | database. | 6147 | | | certutil --upgrade-merge -d | 6148 | | | [sql:]directory [-P dbprefix] | 6149 | | | --source-dir directory | 6150 | | | --source-prefix dbprefix | 6151 | | | --upgrade-id id | 6152 | | | --upgrade-token-name name [-@ | 6153 | | | password-file] | 6154 | | | For example: | 6155 | | | $ certutil --upgrade-merge -d | 6156 | | | sql:/home/my/sharednssdb | 6157 | | | --source-dir | 6158 | | | /opt/my-app/alias/ | 6159 | | | --source-prefix serverapp- | 6160 | | | --upgrade-id 1 | 6161 | | | --upgrade-token-name internal | 6162 | | | The --merge command only | 6163 | | | requires information about the | 6164 | | | location of the | 6165 | | | original database; since it | 6166 | | | doesn't change the format of | 6167 | | | the database, it | 6168 | | | can write over information | 6169 | | | without performing interim | 6170 | | | step. | 6171 | | | certutil --merge -d | 6172 | | | [sql:]directory [-P dbprefix] | 6173 | | | --source-dir directory | 6174 | | | --source-prefix dbprefix [-@ | 6175 | | | password-file] | 6176 | | | For example: | 6177 | | | $ certutil --merge -d | 6178 | | | sql:/home/my/sharednssdb | 6179 | | | --source-dir | 6180 | | | /opt/my-app/alias/ | 6181 | | | --source-prefix serverapp- | 6182 | | | Running certutil Commands | 6183 | | | from a Batch File | 6184 | | | A series of commands can be | 6185 | | | run sequentially from a text | 6186 | | | file with the -B | 6187 | | | command option. The only | 6188 | | | argument for this specifies | 6189 | | | the input file. | 6190 | | | $ certutil -B -i | 6191 | | | /path/to/batch-file | 6192 | | | NSS Database Types | 6193 | | | NSS originally used | 6194 | | | BerkeleyDB databases to store | 6195 | | | security information. | 6196 | | | The last versions of these | 6197 | | | legacy databases are: | 6198 | | | o cert8.db for | 6199 | | | certificates | 6200 | | | o key3.db for keys | 6201 | | | o secmod.db for PKCS #11 | 6202 | | | module information | 6203 | | | BerkeleyDB has performance | 6204 | | | limitations, though, which | 6205 | | | prevent it from | 6206 | | | being easily used by | 6207 | | | multiple applications | 6208 | | | simultaneously. NSS has some | 6209 | | | flexibility that allows | 6210 | | | applications to use their own, | 6211 | | | independent | 6212 | | | database engine while | 6213 | | | keeping a shared database and | 6214 | | | working around the | 6215 | | | access issues. Still, NSS | 6216 | | | requires more flexibility to | 6217 | | | provide a truly | 6218 | | | shared security database. | 6219 | | | In 2009, NSS introduced a | 6220 | | | new set of databases that are | 6221 | | | SQLite databases | 6222 | | | rather than BerkleyDB. | 6223 | | | These new databases provide | 6224 | | | more accessibility and | 6225 | | | performance: | 6226 | | | o cert9.db for | 6227 | | | certificates | 6228 | | | o key4.db for keys | 6229 | | | o pkcs11.txt, which is | 6230 | | | listing of all of the PKCS #11 | 6231 | | | modules contained | 6232 | | | in a new subdirectory | 6233 | | | in the security databases | 6234 | | | directory | 6235 | | | Because the SQLite | 6236 | | | databases are designed to be | 6237 | | | shared, these are the | 6238 | | | shared database type. The | 6239 | | | shared database type is | 6240 | | | preferred; the legacy | 6241 | | | format is included for | 6242 | | | backward compatibility. | 6243 | | | By default, the tools | 6244 | | | (certutil, pk12util, modutil) | 6245 | | | assume that the given | 6246 | | | security databases follow | 6247 | | | the more common legacy type. | 6248 | | | Using the SQLite | 6249 | | | databases must be manually | 6250 | | | specified by using the sql: | 6251 | | | prefix with the | 6252 | | | given security directory. | 6253 | | | For example: | 6254 | | | $ certutil -L -d | 6255 | | | sql:/home/my/sharednssdb | 6256 | | | To set the shared database | 6257 | | | type as the default type for | 6258 | | | the tools, set the | 6259 | | | NSS_DEFAULT_DB_TYPE | 6260 | | | environment variable to sql: | 6261 | | | export | 6262 | | | NSS_DEFAULT_DB_TYPE="sql" | 6263 | | | This line can be set added | 6264 | | | to the ~/.bashrc file to make | 6265 | | | the change | 6266 | | | permanent. | 6267 | | | Most applications do not | 6268 | | | use the shared database by | 6269 | | | default, but they can | 6270 | | | be configured to use them. | 6271 | | | For example, this how-to | 6272 | | | article covers how to | 6273 | | | configure Firefox and | 6274 | | | Thunderbird to use the new | 6275 | | | shared NSS databases: | 6276 | | | | 6277 | | | o https://wiki.m | 6278 | | | ozilla.org/NSS_Shared_DB_Howto | 6279 | | | For an engineering draft on | 6280 | | | the changes in the shared NSS | 6281 | | | databases, see | 6282 | | | the NSS project wiki: | 6283 | | | | 6284 | | | o https:// | 6285 | | | wiki.mozilla.org/NSS_Shared_DB | 6286 | | | See Also | 6287 | | | pk12util (1) | 6288 | | | modutil (1) | 6289 | | | certutil has arguments or | 6290 | | | operations that use features | 6291 | | | defined in several | 6292 | | | IETF RFCs. | 6293 | | | | 6294 | | | o `http://tools.ietf.org/htm | 6295 | | | l/rfc5280 <https://datatracker | 6296 | | | .ietf.org/doc/html/rfc5280>`__ | 6297 | | | | 6298 | | | o `http://tools.ietf.org/htm | 6299 | | | l/rfc1113 <https://datatracker | 6300 | | | .ietf.org/doc/html/rfc1113>`__ | 6301 | | | | 6302 | | | o `http://tools.ietf.org/htm | 6303 | | | l/rfc1485 <https://datatracker | 6304 | | | .ietf.org/doc/html/rfc1485>`__ | 6305 | | | The NSS wiki has | 6306 | | | information on the new | 6307 | | | database design and how to | 6308 | | | configure applications to | 6309 | | | use it. | 6310 | | | | 6311 | | | o https://wiki.m | 6312 | | | ozilla.org/NSS_Shared_DB_Howto | 6313 | | | | 6314 | | | o https:// | 6315 | | | wiki.mozilla.org/NSS_Shared_DB | 6316 | | | Additional Resources | 6317 | | | For information about NSS | 6318 | | | and other tools related to NSS | 6319 | | | (like JSS), check | 6320 | | | out the NSS project wiki at | 6321 | | | | 6322 | | | [1]\ `http://www.mozil | 6323 | | | la.org/projects/security/pki/n | 6324 | | | ss/ <https://www.mozilla.org/p | 6325 | | | rojects/security/pki/nss/>`__. | 6326 | | | The NSS site relates | 6327 | | | directly to NSS code | 6328 | | | changes and releases. | 6329 | | | Mailing lists: | 6330 | | | https://lists.mozill | 6331 | | | a.org/listinfo/dev-tech-crypto | 6332 | | | IRC: Freenode at | 6333 | | | #dogtag-pki | 6334 | | | Authors | 6335 | | | The NSS tools were written | 6336 | | | and maintained by developers | 6337 | | | with Netscape, Red | 6338 | | | Hat, and Sun. | 6339 | | | Authors: Elio Maldonado | 6340 | | | <emaldona@redhat.com>, Deon | 6341 | | | Lackey | 6342 | | | <dlackey@redhat.com>. | 6343 | | | Copyright | 6344 | | | (c) 2010, Red Hat, Inc. | 6345 | | | Licensed under the GNU Public | 6346 | | | License version 2. | 6347 | | | References | 6348 | | | Visible links | 6349 | | | 1. | 6350 | | | `http://www.mozi | 6351 | | | lla.org/projects/security/pki/ | 6352 | | | nss/ <https://www.mozilla.org/ | 6353 | | | projects/security/pki/nss/>`__ | 6354 +--------------------------------+--------------------------------+--------------------------------+ 6355 | | | | 6356 +--------------------------------+--------------------------------+--------------------------------+ 6357 | 339 | :ref:`mozil | | 6358 | | la_projects_nss_tools_cmsutil` | | 6359 +--------------------------------+--------------------------------+--------------------------------+ 6360 | | | Name | 6361 | | | cmsutil — Performs basic | 6362 | | | cryptograpic operations, such | 6363 | | | as encryption and | 6364 | | | decryption, on | 6365 | | | Cryptographic Message Syntax | 6366 | | | (CMS) messages. | 6367 | | | Synopsis | 6368 | | | cmsutil [options] | 6369 | | | `arguments <arguments>`__ | 6370 | | | Description | 6371 | | | The cmsutil command-line | 6372 | | | uses the S/MIME Toolkit to | 6373 | | | perform basic | 6374 | | | operations, such as | 6375 | | | encryption and decryption, on | 6376 | | | Cryptographic Message | 6377 | | | Syntax (CMS) messages. | 6378 | | | To run cmsutil, type the | 6379 | | | command cmsutil option | 6380 | | | [arguments] where option | 6381 | | | and arguments are | 6382 | | | combinations of the options | 6383 | | | and arguments listed in the | 6384 | | | following section. Each | 6385 | | | command takes one option. Each | 6386 | | | option may take | 6387 | | | zero or more arguments. To | 6388 | | | see a usage string, issue the | 6389 | | | command without | 6390 | | | options. | 6391 | | | Options and Arguments | 6392 | | | Options | 6393 | | | Options specify an action. | 6394 | | | Option arguments modify an | 6395 | | | action. The options | 6396 | | | and arguments for the | 6397 | | | cmsutil command are defined as | 6398 | | | follows: | 6399 | | | -D | 6400 | | | Decode a message. | 6401 | | | -C | 6402 | | | Encrypt a message. | 6403 | | | -E | 6404 | | | Envelope a message. | 6405 | | | -O | 6406 | | | Create a | 6407 | | | certificates-only message. | 6408 | | | -S | 6409 | | | Sign a message. | 6410 | | | Arguments | 6411 | | | Option arguments modify an | 6412 | | | action and are lowercase. | 6413 | | | -c content | 6414 | | | Use this detached | 6415 | | | content (decode only). | 6416 | | | -d dbdir | 6417 | | | Specify the | 6418 | | | key/certificate database | 6419 | | | directory (default is ".") | 6420 | | | -e envfile | 6421 | | | Specify a file | 6422 | | | containing an enveloped | 6423 | | | message for a set of | 6424 | | | recipients to which | 6425 | | | you would like to send an | 6426 | | | encrypted message. | 6427 | | | If this is the | 6428 | | | first encrypted message for | 6429 | | | that set of recipients, | 6430 | | | a new enveloped | 6431 | | | message will be created that | 6432 | | | you can then use for | 6433 | | | future messages | 6434 | | | (encrypt only). | 6435 | | | -G | 6436 | | | Include a signing | 6437 | | | time attribute (sign only). | 6438 | | | -h num | 6439 | | | Generate email | 6440 | | | headers with info about CMS | 6441 | | | message (decode only). | 6442 | | | -i infile | 6443 | | | Use infile as a | 6444 | | | source of data (default is | 6445 | | | stdin). | 6446 | | | -N nickname | 6447 | | | Specify nickname of | 6448 | | | certificate to sign with (sign | 6449 | | | only). | 6450 | | | -n | 6451 | | | Suppress output of | 6452 | | | contents (decode only). | 6453 | | | -o outfile | 6454 | | | Use outfile as a | 6455 | | | destination of data (default | 6456 | | | is stdout). | 6457 | | | -P | 6458 | | | Include an S/MIME | 6459 | | | capabilities attribute. | 6460 | | | -p password | 6461 | | | Use password as key | 6462 | | | database password. | 6463 | | | -r recipient1,recipient2, | 6464 | | | ... | 6465 | | | Specify list of | 6466 | | | recipients (email addresses) | 6467 | | | for an encrypted or | 6468 | | | enveloped message. | 6469 | | | For certificates-only message, | 6470 | | | list of | 6471 | | | certificates to | 6472 | | | send. | 6473 | | | -T | 6474 | | | Suppress content in | 6475 | | | CMS message (sign only). | 6476 | | | -u certusage | 6477 | | | Set type of cert | 6478 | | | usage (default is | 6479 | | | certUsageEmailSigner). | 6480 | | | -Y ekprefnick | 6481 | | | Specify an | 6482 | | | encryption key preference by | 6483 | | | nickname. | 6484 | | | Usage | 6485 | | | Encrypt Example | 6486 | | | cmsutil -C [-i infile] [-o | 6487 | | | outfile] [-d dbdir] [-p | 6488 | | | password] -r | 6489 | | | "recipient1,recipient2, . . ." | 6490 | | | -e envfile | 6491 | | | Decode Example | 6492 | | | cmsutil -D [-i infile] [-o | 6493 | | | outfile] [-d dbdir] [-p | 6494 | | | password] [-c content] [-n] | 6495 | | | [-h num] | 6496 | | | Envelope Example | 6497 | | | cmsutil -E [-i infile] [-o | 6498 | | | outfile] [-d dbdir] [-p | 6499 | | | password] -r | 6500 | | | "recipient1,recipient2, ..." | 6501 | | | Certificate-only Example | 6502 | | | cmsutil -O [-i infile] [-o | 6503 | | | outfile] [-d dbdir] [-p | 6504 | | | password] -r "cert1,cert2, . . | 6505 | | | ." | 6506 | | | Sign Message Example | 6507 | | | cmsutil -S [-i infile] [-o | 6508 | | | outfile] [-d dbdir] [-p | 6509 | | | password] -N nickname[-TGP] | 6510 | | | [-Y ekprefnick] | 6511 | | | See also | 6512 | | | certutil(1) | 6513 | | | See Also | 6514 | | | Additional Resources | 6515 | | | NSS is maintained in | 6516 | | | conjunction with PKI and | 6517 | | | security-related projects | 6518 | | | through Mozilla dn Fedora. | 6519 | | | The most closely-related | 6520 | | | project is Dogtag PKI, | 6521 | | | with a project wiki at | 6522 | | | [1]\ http: | 6523 | | | //pki.fedoraproject.org/wiki/. | 6524 | | | For information | 6525 | | | specifically about NSS, the | 6526 | | | NSS project wiki is located at | 6527 | | | | 6528 | | | [2]\ `http://www.mozil | 6529 | | | la.org/projects/security/pki/n | 6530 | | | ss/ <https://www.mozilla.org/p | 6531 | | | rojects/security/pki/nss/>`__. | 6532 | | | The NSS site relates | 6533 | | | directly to NSS code | 6534 | | | changes and releases. | 6535 | | | Mailing lists: | 6536 | | | pki-devel@redhat.com and | 6537 | | | pki-users@redhat.com | 6538 | | | IRC: Freenode at | 6539 | | | #dogtag-pki | 6540 | | | Authors | 6541 | | | The NSS tools were written | 6542 | | | and maintained by developers | 6543 | | | with Netscape and | 6544 | | | now with Red Hat. | 6545 | | | Authors: Elio Maldonado | 6546 | | | <emaldona@redhat.com>, Deon | 6547 | | | Lackey | 6548 | | | <dlackey@redhat.com>. | 6549 | | | Copyright | 6550 | | | (c) 2010, Red Hat, Inc. | 6551 | | | Licensed under the GNU Public | 6552 | | | License version 2. | 6553 | | | References | 6554 | | | Visible links | 6555 | | | 1. | 6556 | | | http | 6557 | | | ://pki.fedoraproject.org/wiki/ | 6558 | | | 2. | 6559 | | | `http://www.mozi | 6560 | | | lla.org/projects/security/pki/ | 6561 | | | nss/ <https://www.mozilla.org/ | 6562 | | | projects/security/pki/nss/>`__ | 6563 +--------------------------------+--------------------------------+--------------------------------+ 6564 | | | | 6565 +--------------------------------+--------------------------------+--------------------------------+ 6566 | 340 | :ref:`mozil | | 6567 | | la_projects_nss_tools_crlutil` | | 6568 +--------------------------------+--------------------------------+--------------------------------+ 6569 | | | Name | 6570 | | | crlutil — List, generate, | 6571 | | | modify, or delete CRLs within | 6572 | | | the NSS security | 6573 | | | database file(s) and list, | 6574 | | | create, modify or delete | 6575 | | | certificates entries | 6576 | | | in a particular CRL. | 6577 | | | Synopsis | 6578 | | | crlutil [options] | 6579 | | | `arguments <arguments>`__ | 6580 | | | Description | 6581 | | | The Certificate Revocation | 6582 | | | List (CRL) Management Tool, | 6583 | | | crlutil, is a | 6584 | | | command-line utility that | 6585 | | | can list, generate, modify, or | 6586 | | | delete CRLs | 6587 | | | within the NSS security | 6588 | | | database file(s) and list, | 6589 | | | create, modify or | 6590 | | | delete certificates entries | 6591 | | | in a particular CRL. | 6592 | | | The key and certificate | 6593 | | | management process generally | 6594 | | | begins with creating | 6595 | | | keys in the key database, | 6596 | | | then generating and managing | 6597 | | | certificates in the | 6598 | | | certificate database(see | 6599 | | | certutil tool) and continues | 6600 | | | with certificates | 6601 | | | expiration or revocation. | 6602 | | | This document discusses | 6603 | | | certificate revocation list | 6604 | | | management. For | 6605 | | | information on security | 6606 | | | module database management, | 6607 | | | see Using the Security | 6608 | | | Module Database Tool. For | 6609 | | | information on certificate and | 6610 | | | key database | 6611 | | | management, see Using the | 6612 | | | Certificate Database Tool. | 6613 | | | To run the Certificate | 6614 | | | Revocation List Management | 6615 | | | Tool, type the command | 6616 | | | crlutil option [arguments] | 6617 | | | where options and arguments | 6618 | | | are combinations of the | 6619 | | | options and arguments | 6620 | | | listed in the following | 6621 | | | section. Each command takes | 6622 | | | one option. Each | 6623 | | | option may take zero or | 6624 | | | more arguments. To see a usage | 6625 | | | string, issue the | 6626 | | | command without options, or | 6627 | | | with the -H option. | 6628 | | | Options and Arguments | 6629 | | | Options | 6630 | | | Options specify an action. | 6631 | | | Option arguments modify an | 6632 | | | action. The options | 6633 | | | and arguments for the | 6634 | | | crlutil command are defined as | 6635 | | | follows: | 6636 | | | -G | 6637 | | | Create new | 6638 | | | Certificate Revocation | 6639 | | | List(CRL). | 6640 | | | -D | 6641 | | | Delete Certificate | 6642 | | | Revocation List from cert | 6643 | | | database. | 6644 | | | -I | 6645 | | | Import a CRL to the | 6646 | | | cert database | 6647 | | | -E | 6648 | | | Erase all CRLs of | 6649 | | | specified type from the cert | 6650 | | | database | 6651 | | | -L | 6652 | | | List existing CRL | 6653 | | | located in cert database file. | 6654 | | | -M | 6655 | | | Modify existing CRL | 6656 | | | which can be located in cert | 6657 | | | db or in | 6658 | | | arbitrary file. If | 6659 | | | located in file it should be | 6660 | | | encoded in ASN.1 | 6661 | | | encode format. | 6662 | | | -G | 6663 | | | Arguments | 6664 | | | Option arguments modify an | 6665 | | | action and are lowercase. | 6666 | | | -B | 6667 | | | Bypass CA signature | 6668 | | | checks. | 6669 | | | -P dbprefix | 6670 | | | Specify the prefix | 6671 | | | used on the NSS security | 6672 | | | database files (for | 6673 | | | example, | 6674 | | | my_cert8.db and my_key3.db). | 6675 | | | This option is provided as a | 6676 | | | special case. | 6677 | | | Changing the names of the | 6678 | | | certificate and key | 6679 | | | databases is not | 6680 | | | recommended. | 6681 | | | -a | 6682 | | | Use ASCII format or | 6683 | | | allow the use of ASCII format | 6684 | | | for input and | 6685 | | | output. This | 6686 | | | formatting follows RFC #1113. | 6687 | | | -c crl-gen-file | 6688 | | | Specify script file | 6689 | | | that will be used to control | 6690 | | | crl | 6691 | | | | 6692 | | | generation/modification. See | 6693 | | | crl-cript-file format below. | 6694 | | | If | 6695 | | | options -M|-G is | 6696 | | | used and -c crl-script-file is | 6697 | | | not specified, | 6698 | | | crlutil will read | 6699 | | | script data from standard | 6700 | | | input. | 6701 | | | -d directory | 6702 | | | Specify the | 6703 | | | database directory containing | 6704 | | | the certificate and key | 6705 | | | database files. On | 6706 | | | Unix the Certificate Database | 6707 | | | Tool defaults to | 6708 | | | $HOME/.netscape | 6709 | | | (that is, ~/.netscape). On | 6710 | | | Windows NT the default | 6711 | | | is the current | 6712 | | | directory. | 6713 | | | The NSS database | 6714 | | | files must reside in the same | 6715 | | | directory. | 6716 | | | -i crl-import-file | 6717 | | | Specify the file | 6718 | | | which contains the CRL to | 6719 | | | import | 6720 | | | -f password-file | 6721 | | | Specify a file that | 6722 | | | will automatically supply the | 6723 | | | password to | 6724 | | | include in a | 6725 | | | certificate or to access a | 6726 | | | certificate database. This | 6727 | | | is a plain-text | 6728 | | | file containing one password. | 6729 | | | Be sure to prevent | 6730 | | | unauthorized access | 6731 | | | to this file. | 6732 | | | -l algorithm-name | 6733 | | | Specify a specific | 6734 | | | signature algorithm. List of | 6735 | | | possible | 6736 | | | algorithms: MD2 \| | 6737 | | | MD4 \| MD5 \| SHA1 \| SHA256 | 6738 | | | \| SHA384 \| SHA512 | 6739 | | | -n nickname | 6740 | | | Specify the | 6741 | | | nickname of a certificate or | 6742 | | | key to list, create, add | 6743 | | | to a database, | 6744 | | | modify, or validate. Bracket | 6745 | | | the nickname string | 6746 | | | with quotation | 6747 | | | marks if it contains spaces. | 6748 | | | -o output-file | 6749 | | | Specify the output | 6750 | | | file name for new CRL. Bracket | 6751 | | | the output-file | 6752 | | | string with | 6753 | | | quotation marks if it contains | 6754 | | | spaces. If this | 6755 | | | argument is not | 6756 | | | used the output destination | 6757 | | | defaults to standard | 6758 | | | output. | 6759 | | | -t crl-type | 6760 | | | Specify type of | 6761 | | | CRL. possible types are: 0 - | 6762 | | | SEC_KRL_TYPE, 1 - | 6763 | | | SEC_CRL_TYPE. This | 6764 | | | option is obsolete | 6765 | | | -u url | 6766 | | | Specify the url. | 6767 | | | CRL Generation script syntax | 6768 | | | CRL generation script file | 6769 | | | has the following syntax: | 6770 | | | \* Line with comments | 6771 | | | should have # as a first | 6772 | | | symbol of a line | 6773 | | | \* Set "this update" or | 6774 | | | "next update" CRL fields: | 6775 | | | update=YYYYMMDDhhmmssZ | 6776 | | | nextupdate=YYYYMMDDhhmmssZ | 6777 | | | Field "next update" is | 6778 | | | optional. Time should be in | 6779 | | | GeneralizedTime format | 6780 | | | (YYYYMMDDhhmmssZ). For | 6781 | | | example: 20050204153000Z | 6782 | | | \* Add an extension to a | 6783 | | | CRL or a crl certificate | 6784 | | | entry: | 6785 | | | addext extension-name | 6786 | | | critical/non-critical | 6787 | | | [arg1[arg2 ...]] | 6788 | | | Where: | 6789 | | | extension-name: string | 6790 | | | value of a name of known | 6791 | | | extensions. | 6792 | | | critical/non-critical: is 1 | 6793 | | | when extension is critical and | 6794 | | | 0 otherwise. | 6795 | | | arg1, arg2: specific to | 6796 | | | extension type extension | 6797 | | | parameters | 6798 | | | addext uses the range that | 6799 | | | was set earlier by addcert and | 6800 | | | will install an | 6801 | | | extension to every cert | 6802 | | | entries within the range. | 6803 | | | \* Add certificate | 6804 | | | entries(s) to CRL: | 6805 | | | addcert range date | 6806 | | | range: two integer values | 6807 | | | separated by dash: range of | 6808 | | | certificates that | 6809 | | | will be added by this | 6810 | | | command. dash is used as a | 6811 | | | delimiter. Only one cert | 6812 | | | will be added if there is | 6813 | | | no delimiter. date: revocation | 6814 | | | date of a cert. | 6815 | | | Date should be represented | 6816 | | | in GeneralizedTime format | 6817 | | | (YYYYMMDDhhmmssZ). | 6818 | | | \* Remove certificate | 6819 | | | entry(s) from CRL | 6820 | | | rmcert range | 6821 | | | Where: | 6822 | | | range: two integer values | 6823 | | | separated by dash: range of | 6824 | | | certificates that | 6825 | | | will be added by this | 6826 | | | command. dash is used as a | 6827 | | | delimiter. Only one cert | 6828 | | | will be added if there is | 6829 | | | no delimiter. | 6830 | | | \* Change range of | 6831 | | | certificate entry(s) in CRL | 6832 | | | range new-range | 6833 | | | Where: | 6834 | | | new-range: two integer | 6835 | | | values separated by dash: | 6836 | | | range of certificates | 6837 | | | that will be added by this | 6838 | | | command. dash is used as a | 6839 | | | delimiter. Only one | 6840 | | | cert will be added if there | 6841 | | | is no delimiter. | 6842 | | | Implemented Extensions | 6843 | | | The extensions defined for | 6844 | | | CRL provide methods for | 6845 | | | associating additional | 6846 | | | attributes with CRLs of | 6847 | | | theirs entries. For more | 6848 | | | information see RFC #3280 | 6849 | | | \* Add The Authority Key | 6850 | | | Identifier extension: | 6851 | | | The authority key | 6852 | | | identifier extension provides | 6853 | | | a means of identifying the | 6854 | | | public key corresponding to | 6855 | | | the private key used to sign a | 6856 | | | CRL. | 6857 | | | authKeyId critical [key-id | 6858 | | | \| dn cert-serial] | 6859 | | | Where: | 6860 | | | authKeyIdent: identifies | 6861 | | | the name of an extension | 6862 | | | critical: value of 1 of | 6863 | | | 0. Should be set to 1 if | 6864 | | | this extension is critical or | 6865 | | | 0 otherwise. | 6866 | | | key-id: key identifier | 6867 | | | represented in octet string. | 6868 | | | dn:: is a CA | 6869 | | | distinguished name | 6870 | | | cert-serial: authority | 6871 | | | certificate serial number. | 6872 | | | \* Add Issuer Alternative | 6873 | | | Name extension: | 6874 | | | The issuer alternative | 6875 | | | names extension allows | 6876 | | | additional identities to be | 6877 | | | associated with the issuer | 6878 | | | of the CRL. Defined options | 6879 | | | include an rfc822 | 6880 | | | name (electronic mail | 6881 | | | address), a DNS name, an IP | 6882 | | | address, and a URI. | 6883 | | | issuerAltNames non-critical | 6884 | | | name-list | 6885 | | | Where: | 6886 | | | subjAltNames: identifies | 6887 | | | the name of an extension | 6888 | | | should be set to 0 since | 6889 | | | this is non-critical | 6890 | | | extension name-list: comma | 6891 | | | separated list of names | 6892 | | | \* Add CRL Number | 6893 | | | extension: | 6894 | | | The CRL number is a | 6895 | | | non-critical CRL extension | 6896 | | | which conveys a | 6897 | | | monotonically increasing | 6898 | | | sequence number for a given | 6899 | | | CRL scope and CRL | 6900 | | | issuer. This extension | 6901 | | | allows users to easily | 6902 | | | determine when a particular | 6903 | | | CRL supersedes another CRL | 6904 | | | crlNumber non-critical | 6905 | | | number | 6906 | | | Where: | 6907 | | | crlNumber: identifies the | 6908 | | | name of an extension critical: | 6909 | | | should be set to | 6910 | | | 0 since this is | 6911 | | | non-critical extension number: | 6912 | | | value of long which | 6913 | | | identifies the sequential | 6914 | | | number of a CRL. | 6915 | | | \* Add Revocation Reason | 6916 | | | Code extension: | 6917 | | | The reasonCode is a | 6918 | | | non-critical CRL entry | 6919 | | | extension that identifies the | 6920 | | | reason for the certificate | 6921 | | | revocation. | 6922 | | | reasonCode non-critical | 6923 | | | code | 6924 | | | Where: | 6925 | | | reasonCode: identifies the | 6926 | | | name of an extension | 6927 | | | non-critical: should be | 6928 | | | set to 0 since this is | 6929 | | | non-critical extension code: | 6930 | | | the following codes | 6931 | | | are available: | 6932 | | | unspecified (0), | 6933 | | | keyCompromise (1), | 6934 | | | cACompromise (2), | 6935 | | | affiliationChanged | 6936 | | | (3), superseded (4), | 6937 | | | cessationOfOperation (5), | 6938 | | | certificateHold (6), | 6939 | | | removeFromCRL (8), | 6940 | | | privilegeWithdrawn (9), | 6941 | | | aACompromise (10) | 6942 | | | \* Add Invalidity Date | 6943 | | | extension: | 6944 | | | The invalidity date is a | 6945 | | | non-critical CRL entry | 6946 | | | extension that provides | 6947 | | | the date on which it is | 6948 | | | known or suspected that the | 6949 | | | private key was | 6950 | | | compromised or that the | 6951 | | | certificate otherwise became | 6952 | | | invalid. | 6953 | | | invalidityDate non-critical | 6954 | | | date | 6955 | | | Where: | 6956 | | | crlNumber: identifies the | 6957 | | | name of an extension | 6958 | | | non-critical: should be set | 6959 | | | to 0 since this is | 6960 | | | non-critical extension date: | 6961 | | | invalidity date of a cert. | 6962 | | | Date should be represented | 6963 | | | in GeneralizedTime format | 6964 | | | (YYYYMMDDhhmmssZ). | 6965 | | | Usage | 6966 | | | The Certificate Revocation | 6967 | | | List Management Tool's | 6968 | | | capabilities are grouped | 6969 | | | as follows, using these | 6970 | | | combinations of options and | 6971 | | | arguments. Options and | 6972 | | | arguments in square | 6973 | | | brackets are optional, those | 6974 | | | without square brackets | 6975 | | | are required. | 6976 | | | See "Implemented | 6977 | | | extensions" for more | 6978 | | | information regarding | 6979 | | | extensions and | 6980 | | | their parameters. | 6981 | | | \* Creating or modifying a | 6982 | | | CRL: | 6983 | | | crlutil -G|-M -c crl-gen-file | 6984 | | | -n nickname [-i crl] [-u url] | 6985 | | | [-d keydir] [-P dbprefix] [-l | 6986 | | | alg] [-a] [-B] | 6987 | | | \* Listing all CRls or a | 6988 | | | named CRL: | 6989 | | | crlutil -L [-n | 6990 | | | crl-name] [-d krydir] | 6991 | | | \* Deleting CRL from db: | 6992 | | | crlutil -D -n | 6993 | | | nickname [-d keydir] [-P | 6994 | | | dbprefix] | 6995 | | | \* Erasing CRLs from db: | 6996 | | | crlutil -E [-d | 6997 | | | keydir] [-P dbprefix] | 6998 | | | \* Deleting CRL from db: | 6999 | | | crlutil -D -n | 7000 | | | nickname [-d keydir] [-P | 7001 | | | dbprefix] | 7002 | | | \* Erasing CRLs from db: | 7003 | | | crlutil -E [-d | 7004 | | | keydir] [-P dbprefix] | 7005 | | | \* Import CRL from file: | 7006 | | | crlutil -I -i crl | 7007 | | | [-t crlType] [-u url] [-d | 7008 | | | keydir] [-P dbprefix] [-B] | 7009 | | | See also | 7010 | | | certutil(1) | 7011 | | | See Also | 7012 | | | Additional Resources | 7013 | | | NSS is maintained in | 7014 | | | conjunction with PKI and | 7015 | | | security-related projects | 7016 | | | through Mozilla dn Fedora. | 7017 | | | The most closely-related | 7018 | | | project is Dogtag PKI, | 7019 | | | with a project wiki at | 7020 | | | [1]\ http: | 7021 | | | //pki.fedoraproject.org/wiki/. | 7022 | | | For information | 7023 | | | specifically about NSS, the | 7024 | | | NSS project wiki is located at | 7025 | | | | 7026 | | | [2]\ `http://www.mozil | 7027 | | | la.org/projects/security/pki/n | 7028 | | | ss/ <https://www.mozilla.org/p | 7029 | | | rojects/security/pki/nss/>`__. | 7030 | | | The NSS site relates | 7031 | | | directly to NSS code | 7032 | | | changes and releases. | 7033 | | | Mailing lists: | 7034 | | | pki-devel@redhat.com and | 7035 | | | pki-users@redhat.com | 7036 | | | IRC: Freenode at | 7037 | | | #dogtag-pki | 7038 | | | Authors | 7039 | | | The NSS tools were written | 7040 | | | and maintained by developers | 7041 | | | with Netscape and | 7042 | | | now with Red Hat. | 7043 | | | Authors: Elio Maldonado | 7044 | | | <emaldona@redhat.com>, Deon | 7045 | | | Lackey | 7046 | | | <dlackey@redhat.com>. | 7047 | | | Copyright | 7048 | | | (c) 2010, Red Hat, Inc. | 7049 | | | Licensed under the GNU Public | 7050 | | | License version 2. | 7051 | | | References | 7052 | | | Visible links | 7053 | | | 1. | 7054 | | | http | 7055 | | | ://pki.fedoraproject.org/wiki/ | 7056 | | | 2. | 7057 | | | `http://www.mozi | 7058 | | | lla.org/projects/security/pki/ | 7059 | | | nss/ <https://www.mozilla.org/ | 7060 | | | projects/security/pki/nss/>`__ | 7061 +--------------------------------+--------------------------------+--------------------------------+ 7062 | | | | 7063 +--------------------------------+--------------------------------+--------------------------------+ 7064 | 341 | :ref:`mozil | | 7065 | | la_projects_nss_tools_modutil` | | 7066 +--------------------------------+--------------------------------+--------------------------------+ 7067 | | | Name | 7068 | | | modutil — Manage PKCS #11 | 7069 | | | module information within the | 7070 | | | security module | 7071 | | | database. | 7072 | | | Synopsis | 7073 | | | modutil [options] | 7074 | | | `arguments <arguments>`__ | 7075 | | | Description | 7076 | | | The Security Module | 7077 | | | Database Tool, modutil, is a | 7078 | | | command-line utility for | 7079 | | | managing PKCS #11 module | 7080 | | | information both within | 7081 | | | secmod.db files and | 7082 | | | within hardware tokens. | 7083 | | | modutil can add and delete | 7084 | | | PKCS #11 modules, | 7085 | | | change passwords on | 7086 | | | security databases, set | 7087 | | | defaults, list module | 7088 | | | contents, enable or disable | 7089 | | | slots, enable or disable FIPS | 7090 | | | 140-2 | 7091 | | | compliance, and assign | 7092 | | | default providers for | 7093 | | | cryptographic operations. | 7094 | | | This tool can also create | 7095 | | | certificate, key, and module | 7096 | | | security database | 7097 | | | files. | 7098 | | | The tasks associated with | 7099 | | | security module database | 7100 | | | management are part of | 7101 | | | a process that typically | 7102 | | | also involves managing key | 7103 | | | databases and | 7104 | | | certificate databases. | 7105 | | | Options | 7106 | | | Running modutil always | 7107 | | | requires one (and only one) | 7108 | | | option to specify the | 7109 | | | type of module operation. | 7110 | | | Each option may take | 7111 | | | arguments, anywhere from | 7112 | | | none to multiple arguments. | 7113 | | | Options | 7114 | | | -add modulename | 7115 | | | Add the named PKCS | 7116 | | | #11 module to the database. | 7117 | | | Use this option | 7118 | | | with the -libfile, | 7119 | | | -ciphers, and -mechanisms | 7120 | | | arguments. | 7121 | | | -changepw tokenname | 7122 | | | Change the password | 7123 | | | on the named token. If the | 7124 | | | token has not been | 7125 | | | initialized, this | 7126 | | | option initializes the | 7127 | | | password. Use this option | 7128 | | | with the -pwfile | 7129 | | | and -newpwfile arguments. A | 7130 | | | password is | 7131 | | | equivalent to a | 7132 | | | personal identification number | 7133 | | | (PIN). | 7134 | | | -chkfips | 7135 | | | Verify whether the | 7136 | | | module is in the given FIPS | 7137 | | | mode. true means to | 7138 | | | verify that the | 7139 | | | module is in FIPS mode, while | 7140 | | | false means to | 7141 | | | verify that the | 7142 | | | module is not in FIPS mode. | 7143 | | | -create | 7144 | | | Create new | 7145 | | | certificate, key, and module | 7146 | | | databases. Use the -dbdir | 7147 | | | directory argument | 7148 | | | to specify a directory. If any | 7149 | | | of these | 7150 | | | databases already | 7151 | | | exist in a specified | 7152 | | | directory, modutil returns | 7153 | | | an error message. | 7154 | | | -default modulename | 7155 | | | Specify the | 7156 | | | security mechanisms for which | 7157 | | | the named module will be | 7158 | | | a default provider. | 7159 | | | The security mechanisms are | 7160 | | | specified with the | 7161 | | | -mechanisms | 7162 | | | argument. | 7163 | | | -delete modulename | 7164 | | | Delete the named | 7165 | | | module. The default NSS PKCS | 7166 | | | #11 module cannot be | 7167 | | | deleted. | 7168 | | | -disable modulename | 7169 | | | Disable all slots | 7170 | | | on the named module. Use the | 7171 | | | -slot argument to | 7172 | | | disable a specific | 7173 | | | slot. | 7174 | | | -enable modulename | 7175 | | | Enable all slots on | 7176 | | | the named module. Use the | 7177 | | | -slot argument to | 7178 | | | enable a specific | 7179 | | | slot. | 7180 | | | -fips [true \| false] | 7181 | | | Enable (true) or | 7182 | | | disable (false) FIPS 140-2 | 7183 | | | compliance for the | 7184 | | | default NSS module. | 7185 | | | -force | 7186 | | | Disable modutil's | 7187 | | | interactive prompts so it can | 7188 | | | be run from a | 7189 | | | script. Use this | 7190 | | | option only after manually | 7191 | | | testing each planned | 7192 | | | operation to check | 7193 | | | for warnings and to ensure | 7194 | | | that bypassing the | 7195 | | | prompts will cause | 7196 | | | no security lapses or loss of | 7197 | | | database | 7198 | | | integrity. | 7199 | | | -jar JAR-file | 7200 | | | Add a new PKCS #11 | 7201 | | | module to the database using | 7202 | | | the named JAR | 7203 | | | file. Use this | 7204 | | | command with the -installdir | 7205 | | | and -tempdir | 7206 | | | arguments. The JAR | 7207 | | | file uses the NSS PKCS #11 JAR | 7208 | | | format to | 7209 | | | identify all the | 7210 | | | files to be installed, the | 7211 | | | module's name, the | 7212 | | | mechanism flags, | 7213 | | | and the cipher flags, as well | 7214 | | | as any files to be | 7215 | | | installed on the | 7216 | | | target machine, including the | 7217 | | | PKCS #11 module | 7218 | | | library file and | 7219 | | | other files such as | 7220 | | | documentation. This is | 7221 | | | covered in the JAR | 7222 | | | installation file section in | 7223 | | | the man page, | 7224 | | | which details the | 7225 | | | special script needed to | 7226 | | | perform an installation | 7227 | | | through a server or | 7228 | | | with modutil. | 7229 | | | -list [modulename] | 7230 | | | Display basic | 7231 | | | information about the contents | 7232 | | | of the secmod.db | 7233 | | | file. Specifying a | 7234 | | | modulename displays detailed | 7235 | | | information about | 7236 | | | a particular module | 7237 | | | and its slots and tokens. | 7238 | | | -rawadd | 7239 | | | Add the module spec | 7240 | | | string to the secmod.db | 7241 | | | database. | 7242 | | | -rawlist | 7243 | | | Display the module | 7244 | | | specs for a specified module | 7245 | | | or for all | 7246 | | | loadable modules. | 7247 | | | -undefault modulename | 7248 | | | Specify the | 7249 | | | security mechanisms for which | 7250 | | | the named module will | 7251 | | | not be a default | 7252 | | | provider. The security | 7253 | | | mechanisms are specified | 7254 | | | with the | 7255 | | | -mechanisms argument. | 7256 | | | Arguments | 7257 | | | MODULE | 7258 | | | Give the security | 7259 | | | module to access. | 7260 | | | MODULESPEC | 7261 | | | Give the security | 7262 | | | module spec to load into the | 7263 | | | security database. | 7264 | | | -ciphers cipher-enable-list | 7265 | | | Enable specific | 7266 | | | ciphers in a module that is | 7267 | | | being added to the | 7268 | | | database. The | 7269 | | | cipher-enable-list is a | 7270 | | | colon-delimited list of | 7271 | | | cipher names. | 7272 | | | Enclose this list in quotation | 7273 | | | marks if it contains | 7274 | | | spaces. | 7275 | | | -dbdir [sql:]directory | 7276 | | | Specify the | 7277 | | | database directory in which to | 7278 | | | access or create | 7279 | | | security module | 7280 | | | database files. | 7281 | | | modutil supports | 7282 | | | two types of databases: the | 7283 | | | legacy security | 7284 | | | databases | 7285 | | | (cert8.db, key3.db, and | 7286 | | | secmod.db) and new SQLite | 7287 | | | databases | 7288 | | | (cert9.db, key4.db, and | 7289 | | | pkcs11.txt). If the prefix | 7290 | | | sql: | 7291 | | | is not used, then | 7292 | | | the tool assumes that the | 7293 | | | given databases are in | 7294 | | | the old format. | 7295 | | | --dbprefix prefix | 7296 | | | Specify the prefix | 7297 | | | used on the database files, | 7298 | | | such as my\_ for | 7299 | | | my_cert8.db. This | 7300 | | | option is provided as a | 7301 | | | special case. Changing | 7302 | | | the names of the | 7303 | | | certificate and key databases | 7304 | | | is not recommended. | 7305 | | | -installdir | 7306 | | | root-installation-directory | 7307 | | | Specify the root | 7308 | | | installation directory | 7309 | | | relative to which files | 7310 | | | will be installed | 7311 | | | by the -jar option. This | 7312 | | | directory should be one | 7313 | | | below which it is | 7314 | | | appropriate to store dynamic | 7315 | | | library files, such | 7316 | | | as a server's root | 7317 | | | directory. | 7318 | | | -libfile library-file | 7319 | | | Specify a path to a | 7320 | | | library file containing the | 7321 | | | implementation of | 7322 | | | the PKCS #11 | 7323 | | | interface module that is being | 7324 | | | added to the database. | 7325 | | | -mechanisms mechanism-list | 7326 | | | Specify the | 7327 | | | security mechanisms for which | 7328 | | | a particular module will | 7329 | | | be flagged as a | 7330 | | | default provider. The | 7331 | | | mechanism-list is a | 7332 | | | colon-delimited | 7333 | | | list of mechanism names. | 7334 | | | Enclose this list in | 7335 | | | quotation marks if | 7336 | | | it contains spaces. | 7337 | | | The module becomes | 7338 | | | a default provider for the | 7339 | | | listed mechanisms | 7340 | | | when those | 7341 | | | mechanisms are enabled. If | 7342 | | | more than one module claims | 7343 | | | to be a particular | 7344 | | | mechanism's default provider, | 7345 | | | that mechanism's | 7346 | | | default provider is | 7347 | | | undefined. | 7348 | | | modutil supports | 7349 | | | several mechanisms: RSA, DSA, | 7350 | | | RC2, RC4, RC5, AES, | 7351 | | | DES, DH, SHA1, | 7352 | | | SHA256, SHA512, SSL, TLS, MD5, | 7353 | | | MD2, RANDOM (for | 7354 | | | random number | 7355 | | | generation), and FRIENDLY | 7356 | | | (meaning certificates are | 7357 | | | publicly readable). | 7358 | | | -newpwfile | 7359 | | | new-password-file | 7360 | | | Specify a text file | 7361 | | | containing a token's new or | 7362 | | | replacement | 7363 | | | password so that a | 7364 | | | password can be entered | 7365 | | | automatically with the | 7366 | | | -changepw option. | 7367 | | | -nocertdb | 7368 | | | Do not open the | 7369 | | | certificate or key databases. | 7370 | | | This has several | 7371 | | | effects: | 7372 | | | o With the | 7373 | | | -create command, only a module | 7374 | | | security file is | 7375 | | | created; | 7376 | | | certificate and key databases | 7377 | | | are not created. | 7378 | | | o With the -jar | 7379 | | | command, signatures on the JAR | 7380 | | | file are not | 7381 | | | checked. | 7382 | | | o With the | 7383 | | | -changepw command, the | 7384 | | | password on the NSS internal | 7385 | | | module cannot | 7386 | | | be set or changed, since this | 7387 | | | password is | 7388 | | | stored in the | 7389 | | | key database. | 7390 | | | -pwfile old-password-file | 7391 | | | Specify a text file | 7392 | | | containing a token's existing | 7393 | | | password so that | 7394 | | | a password can be | 7395 | | | entered automatically when the | 7396 | | | -changepw option | 7397 | | | is used to change | 7398 | | | passwords. | 7399 | | | -secmod secmodname | 7400 | | | Give the name of | 7401 | | | the security module database | 7402 | | | (like secmod.db) to | 7403 | | | load. | 7404 | | | -slot slotname | 7405 | | | Specify a | 7406 | | | particular slot to be enabled | 7407 | | | or disabled with the | 7408 | | | -enable or -disable | 7409 | | | options. | 7410 | | | -string CONFIG_STRING | 7411 | | | Pass a | 7412 | | | configuration string for the | 7413 | | | module being added to the | 7414 | | | database. | 7415 | | | -tempdir | 7416 | | | temporary-directory | 7417 | | | Give a directory | 7418 | | | location where temporary files | 7419 | | | are created during | 7420 | | | the installation by | 7421 | | | the -jar option. If no | 7422 | | | temporary directory is | 7423 | | | specified, the | 7424 | | | current directory is used. | 7425 | | | Usage and Examples | 7426 | | | Creating Database Files | 7427 | | | Before any operations can | 7428 | | | be performed, there must be a | 7429 | | | set of security | 7430 | | | databases available. | 7431 | | | modutil can be used to create | 7432 | | | these files. The only | 7433 | | | required argument is the | 7434 | | | database that where the | 7435 | | | databases will be | 7436 | | | located. | 7437 | | | modutil -create -dbdir | 7438 | | | [sql:]directory | 7439 | | | Adding a Cryptographic | 7440 | | | Module | 7441 | | | Adding a PKCS #11 module | 7442 | | | means submitting a supporting | 7443 | | | library file, | 7444 | | | enabling its ciphers, and | 7445 | | | setting default provider | 7446 | | | status for various | 7447 | | | security mechanisms. This | 7448 | | | can be done by supplying all | 7449 | | | of the information | 7450 | | | through modutil directly or | 7451 | | | by running a JAR file and | 7452 | | | install script. For | 7453 | | | the most basic case, simply | 7454 | | | upload the library: | 7455 | | | modutil -add modulename | 7456 | | | -libfile library-file | 7457 | | | [-ciphers cipher-enable-list] | 7458 | | | [-mechanisms mechanism-list] | 7459 | | | For example: | 7460 | | | modutil -dbdir | 7461 | | | sql:/home/my/sharednssdb -add | 7462 | | | "Example PKCS #11 Module" | 7463 | | | -libfile "/tmp/crypto.so" | 7464 | | | -mechanisms RSA:DSA:RC2:RANDOM | 7465 | | | Using database directory ... | 7466 | | | Module "Example PKCS #11 | 7467 | | | Module" added to database. | 7468 | | | Installing a Cryptographic | 7469 | | | Module from a JAR File | 7470 | | | PKCS #11 modules can also | 7471 | | | be loaded using a JAR file, | 7472 | | | which contains all | 7473 | | | of the required libraries | 7474 | | | and an installation script | 7475 | | | that describes how to | 7476 | | | install the module. The JAR | 7477 | | | install script is described in | 7478 | | | more detail in | 7479 | | | [1]the section called “JAR | 7480 | | | Installation File Format”. | 7481 | | | The JAR installation script | 7482 | | | defines the setup information | 7483 | | | for each | 7484 | | | platform that the module | 7485 | | | can be installed on. For | 7486 | | | example: | 7487 | | | Platforms { | 7488 | | | Linux:5.4.08:x86 { | 7489 | | | ModuleName { "Example | 7490 | | | PKCS #11 Module" } | 7491 | | | ModuleFile { crypto.so | 7492 | | | } | 7493 | | | | 7494 | | | DefaultMechanismFlags{0x0000} | 7495 | | | | 7496 | | | CipherEnableFlags{0x0000} | 7497 | | | Files { | 7498 | | | crypto.so { | 7499 | | | Path{ | 7500 | | | /tmp/crypto.so } | 7501 | | | } | 7502 | | | setup.sh { | 7503 | | | Executable | 7504 | | | Path{ | 7505 | | | /tmp/setup.sh } | 7506 | | | } | 7507 | | | } | 7508 | | | } | 7509 | | | Linux:6.0.0:x86 { | 7510 | | | EquivalentPlatform { | 7511 | | | Linux:5.4.08:x86 } | 7512 | | | } | 7513 | | | } | 7514 | | | Both the install script and | 7515 | | | the required libraries must be | 7516 | | | bundled in a | 7517 | | | JAR file, which is | 7518 | | | specified with the -jar | 7519 | | | argument. | 7520 | | | modutil -dbdir | 7521 | | | sql:/home/mt | 7522 | | | "jar-install-filey/sharednssdb | 7523 | | | -jar install.jar -installdir | 7524 | | | sql:/home/my/sharednssdb | 7525 | | | This installation JAR file | 7526 | | | was signed by: | 7527 | | | ---------------- | 7528 | | | ------------------------------ | 7529 | | | **SUBJECT NAME*\* | 7530 | | | C=US, ST=California, | 7531 | | | L=Mountain View, | 7532 | | | CN=Cryptorific Inc., | 7533 | | | OU=Digital ID | 7534 | | | Class 3 - Netscape Object | 7535 | | | Signing, | 7536 | | | OU="w | 7537 | | | ww.verisign.com/repository/CPS | 7538 | | | Incorp. by Ref.,LIAB.LTD(c)9 | 7539 | | | 6", OU=www.verisign.com/CPS | 7540 | | | Incorp.by Ref | 7541 | | | . LIABILITY LTD.(c)97 | 7542 | | | VeriSign, OU=VeriSign Object | 7543 | | | Signing CA - Class 3 | 7544 | | | Organization, OU="VeriSign, | 7545 | | | Inc.", O=VeriSign Trust | 7546 | | | Network \**ISSUER | 7547 | | | NAME**, | 7548 | | | OU=www.verisign.com/CPS | 7549 | | | Incorp.by Ref. LIABILITY | 7550 | | | LTD.(c)97 | 7551 | | | VeriSign, OU=VeriSign Object | 7552 | | | Signing CA - Class 3 | 7553 | | | Organization, | 7554 | | | OU="VeriSign, Inc.", | 7555 | | | O=VeriSign Trust Network | 7556 | | | ---------------- | 7557 | | | ------------------------------ | 7558 | | | Do you wish to continue this | 7559 | | | installation? (y/n) y | 7560 | | | Using installer script | 7561 | | | "installer_script" | 7562 | | | Successfully parsed | 7563 | | | installation script | 7564 | | | Current platform is | 7565 | | | Linux:5.4.08:x86 | 7566 | | | Using installation parameters | 7567 | | | for platform Linux:5.4.08:x86 | 7568 | | | Installed file crypto.so to | 7569 | | | /tmp/crypto.so | 7570 | | | Installed file setup.sh to | 7571 | | | ./pk11inst.dir/setup.sh | 7572 | | | Executing | 7573 | | | "./pk11inst.dir/setup.sh"... | 7574 | | | "./pk11inst.dir/setup.sh" | 7575 | | | executed successfully | 7576 | | | Installed module "Example | 7577 | | | PKCS #11 Module" into module | 7578 | | | database | 7579 | | | Installation completed | 7580 | | | successfully | 7581 | | | Adding Module Spec | 7582 | | | Each module has information | 7583 | | | stored in the security | 7584 | | | database about its | 7585 | | | configuration and | 7586 | | | parameters. These can be added | 7587 | | | or edited using the | 7588 | | | -rawadd command. For the | 7589 | | | current settings or to see the | 7590 | | | format of the | 7591 | | | module spec in the | 7592 | | | database, use the -rawlist | 7593 | | | option. | 7594 | | | modutil -rawadd modulespec | 7595 | | | Deleting a Module | 7596 | | | A specific PKCS #11 module | 7597 | | | can be deleted from the | 7598 | | | secmod.db database: | 7599 | | | modutil -delete modulename | 7600 | | | -dbdir [sql:]directory | 7601 | | | Displaying Module | 7602 | | | Information | 7603 | | | The secmod.db database | 7604 | | | contains information about the | 7605 | | | PKCS #11 modules | 7606 | | | that are available to an | 7607 | | | application or server to use. | 7608 | | | The list of all | 7609 | | | modules, information about | 7610 | | | specific modules, and database | 7611 | | | configuration | 7612 | | | specs for modules can all | 7613 | | | be viewed. | 7614 | | | To simply get a list of | 7615 | | | modules in the database, use | 7616 | | | the -list command. | 7617 | | | modutil -list [modulename] | 7618 | | | -dbdir [sql:]directory | 7619 | | | Listing the modules shows | 7620 | | | the module name, their status, | 7621 | | | and other | 7622 | | | associated security | 7623 | | | databases for certificates and | 7624 | | | keys. For example: | 7625 | | | modutil -list -dbdir | 7626 | | | sql:/home/my/sharednssdb | 7627 | | | Listing of PKCS #11 Modules | 7628 | | | ----------------------------- | 7629 | | | ------------------------------ | 7630 | | | 1. NSS Internal PKCS #11 | 7631 | | | Module | 7632 | | | slots: 2 slots | 7633 | | | attached | 7634 | | | status: loaded | 7635 | | | slot: NSS Internal | 7636 | | | Cryptographic Services | 7637 | | | token: NSS Generic | 7638 | | | Crypto Services | 7639 | | | slot: NSS User | 7640 | | | Private Key and Certificate | 7641 | | | Services | 7642 | | | token: NSS | 7643 | | | Certificate DB | 7644 | | | ----------------------------- | 7645 | | | ------------------------------ | 7646 | | | Passing a specific module | 7647 | | | name with the -list returns | 7648 | | | details information | 7649 | | | about the module itself, | 7650 | | | like supported cipher | 7651 | | | mechanisms, version | 7652 | | | numbers, serial numbers, | 7653 | | | and other information about | 7654 | | | the module and the | 7655 | | | token it is loaded on. For | 7656 | | | example: | 7657 | | | modutil -list "NSS Internal | 7658 | | | PKCS #11 Module" -dbdir | 7659 | | | sql:/home/my/sharednssdb | 7660 | | | ----------------------------- | 7661 | | | ------------------------------ | 7662 | | | Name: NSS Internal PKCS #11 | 7663 | | | Module | 7664 | | | Library file: \**Internal | 7665 | | | ONLY module*\* | 7666 | | | Manufacturer: Mozilla | 7667 | | | Foundation | 7668 | | | Description: NSS Internal | 7669 | | | Crypto Services | 7670 | | | PKCS #11 Version 2.20 | 7671 | | | Library Version: 3.11 | 7672 | | | Cipher Enable Flags: None | 7673 | | | Default Mechanism Flags: | 7674 | | | RSA:RC2:RC4:D | 7675 | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | 7676 | | | Slot: NSS Internal | 7677 | | | Cryptographic Services | 7678 | | | Slot Mechanism Flags: | 7679 | | | RSA:RC2:RC4:D | 7680 | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | 7681 | | | Manufacturer: Mozilla | 7682 | | | Foundation | 7683 | | | Type: Software | 7684 | | | Version Number: 3.11 | 7685 | | | Firmware Version: 0.0 | 7686 | | | Status: Enabled | 7687 | | | Token Name: NSS Generic | 7688 | | | Crypto Services | 7689 | | | Token Manufacturer: Mozilla | 7690 | | | Foundation | 7691 | | | Token Model: NSS 3 | 7692 | | | Token Serial Number: | 7693 | | | 0000000000000000 | 7694 | | | Token Version: 4.0 | 7695 | | | Token Firmware Version: 0.0 | 7696 | | | Access: Write Protected | 7697 | | | Login Type: Public (no | 7698 | | | login required) | 7699 | | | User Pin: NOT Initialized | 7700 | | | Slot: NSS User Private Key | 7701 | | | and Certificate Services | 7702 | | | Slot Mechanism Flags: None | 7703 | | | Manufacturer: Mozilla | 7704 | | | Foundation | 7705 | | | Type: Software | 7706 | | | Version Number: 3.11 | 7707 | | | Firmware Version: 0.0 | 7708 | | | Status: Enabled | 7709 | | | Token Name: NSS Certificate | 7710 | | | DB | 7711 | | | Token Manufacturer: Mozilla | 7712 | | | Foundation | 7713 | | | Token Model: NSS 3 | 7714 | | | Token Serial Number: | 7715 | | | 0000000000000000 | 7716 | | | Token Version: 8.3 | 7717 | | | Token Firmware Version: 0.0 | 7718 | | | Access: NOT Write Protected | 7719 | | | Login Type: Login required | 7720 | | | User Pin: Initialized | 7721 | | | A related command, -rawlist | 7722 | | | returns information about the | 7723 | | | database | 7724 | | | configuration for the | 7725 | | | modules. (This information can | 7726 | | | be edited by loading | 7727 | | | new specs using the -rawadd | 7728 | | | command.) | 7729 | | | modutil -rawlist -dbdir | 7730 | | | sql:/home/my/sharednssdb | 7731 | | | name="NSS Internal PKCS #11 | 7732 | | | Module" | 7733 | | | parameters="configdir=. | 7734 | | | certPrefix= keyPrefix= | 7735 | | | secmod=secmod.db | 7736 | | | flags=readOnly " | 7737 | | | NSS="trustOrder=75 | 7738 | | | cipherOrder=100 | 7739 | | | slotParams={0x00000001=[ | 7740 | | | slotFlags=RSA,RC4,RC2,DES,DH,S | 7741 | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | 7742 | | | askpw=any timeout=30 ] } | 7743 | | | Flags=internal,critical" | 7744 | | | Setting a Default Provider | 7745 | | | for Security Mechanisms | 7746 | | | Multiple security modules | 7747 | | | may provide support for the | 7748 | | | same security | 7749 | | | mechanisms. It is possible | 7750 | | | to set a specific security | 7751 | | | module as the | 7752 | | | default provider for a | 7753 | | | specific security mechanism | 7754 | | | (or, conversely, to | 7755 | | | prohibit a provider from | 7756 | | | supplying those mechanisms). | 7757 | | | modutil -default modulename | 7758 | | | -mechanisms mechanism-list | 7759 | | | To set a module as the | 7760 | | | default provider for | 7761 | | | mechanisms, use the -default | 7762 | | | command with a | 7763 | | | colon-separated list of | 7764 | | | mechanisms. The available | 7765 | | | mechanisms depend on the | 7766 | | | module; NSS supplies almost | 7767 | | | all common | 7768 | | | mechanisms. For example: | 7769 | | | modutil -default "NSS | 7770 | | | Internal PKCS #11 Module" | 7771 | | | -dbdir -mechanisms RSA:DSA:RC2 | 7772 | | | Using database directory | 7773 | | | c:\databases... | 7774 | | | Successfully changed | 7775 | | | defaults. | 7776 | | | Clearing the default | 7777 | | | provider has the same format: | 7778 | | | modutil -undefault "NSS | 7779 | | | Internal PKCS #11 Module" | 7780 | | | -dbdir -mechanisms MD2:MD5 | 7781 | | | Enabling and Disabling | 7782 | | | Modules and Slots | 7783 | | | Modules, and specific slots | 7784 | | | on modules, can be selectively | 7785 | | | enabled or | 7786 | | | disabled using modutil. | 7787 | | | Both commands have the same | 7788 | | | format: | 7789 | | | modutil -enable|-disable | 7790 | | | modulename [-slot slotname] | 7791 | | | For example: | 7792 | | | modutil -enable "NSS Internal | 7793 | | | PKCS #11 Module" -slot "NSS | 7794 | | | Internal Cryptographic | 7795 | | | Servi | 7796 | | | ces | 7797 | | | " -dbdir . | 7798 | | | Slot "NSS Internal | 7799 | | | Cryptographic | 7800 | | | Servi | 7801 | | | ces | 7802 | | | " enabled. | 7803 | | | Be sure that the | 7804 | | | appropriate amount of trailing | 7805 | | | whitespace is after the | 7806 | | | slot name. Some slot names | 7807 | | | have a significant amount of | 7808 | | | whitespace that | 7809 | | | must be included, or the | 7810 | | | operation will fail. | 7811 | | | Enabling and Verifying FIPS | 7812 | | | Compliance | 7813 | | | The NSS modules can have | 7814 | | | FIPS 140-2 compliance enabled | 7815 | | | or disabled using | 7816 | | | modutil with the -fips | 7817 | | | option. For example: | 7818 | | | modutil -fips true -dbdir | 7819 | | | sql:/home/my/sharednssdb/ | 7820 | | | FIPS mode enabled. | 7821 | | | To verify that status of | 7822 | | | FIPS mode, run the -chkfips | 7823 | | | command with either a | 7824 | | | true or false flag (it | 7825 | | | doesn't matter which). The | 7826 | | | tool returns the current | 7827 | | | FIPS setting. | 7828 | | | modutil -chkfips false -dbdir | 7829 | | | sql:/home/my/sharednssdb/ | 7830 | | | FIPS mode enabled. | 7831 | | | Changing the Password on a | 7832 | | | Token | 7833 | | | Initializing or changing a | 7834 | | | token's password: | 7835 | | | modutil -changepw tokenname | 7836 | | | [-pwfile old-password-file] | 7837 | | | [-newpwfile new-password-file] | 7838 | | | modutil -dbdir | 7839 | | | sql:/home/my/sharednssdb | 7840 | | | -changepw "NSS Certificate DB" | 7841 | | | Enter old password: | 7842 | | | Incorrect password, try | 7843 | | | again... | 7844 | | | Enter old password: | 7845 | | | Enter new password: | 7846 | | | Re-enter new password: | 7847 | | | Token "Communicator | 7848 | | | Certificate DB" password | 7849 | | | changed successfully. | 7850 | | | JAR Installation File Format | 7851 | | | When a JAR file is run by a | 7852 | | | server, by modutil, or by any | 7853 | | | program that | 7854 | | | does not interpret | 7855 | | | JavaScript, a special | 7856 | | | information file must be | 7857 | | | included | 7858 | | | to install the libraries. | 7859 | | | There are several things to | 7860 | | | keep in mind with | 7861 | | | this file: | 7862 | | | o It must be declared in | 7863 | | | the JAR archive's manifest | 7864 | | | file. | 7865 | | | o The script can have any | 7866 | | | name. | 7867 | | | o The metainfo tag for | 7868 | | | this is Pkcs11_install_script. | 7869 | | | To declare | 7870 | | | meta-information in the | 7871 | | | manifest file, put it in a | 7872 | | | file that is passed | 7873 | | | to signtool. | 7874 | | | Sample Script | 7875 | | | For example, the PKCS #11 | 7876 | | | installer script could be in | 7877 | | | the file | 7878 | | | pk11install. If so, the | 7879 | | | metainfo file for signtool | 7880 | | | includes a line such as | 7881 | | | this: | 7882 | | | + Pkcs11_install_script: | 7883 | | | pk11install | 7884 | | | The script must define the | 7885 | | | platform and version number, | 7886 | | | the module name | 7887 | | | and file, and any optional | 7888 | | | information like supported | 7889 | | | ciphers and | 7890 | | | mechanisms. Multiple | 7891 | | | platforms can be defined in a | 7892 | | | single install file. | 7893 | | | ForwardCompatible { | 7894 | | | IRIX:6.2:mips | 7895 | | | SUNOS:5.5.1:sparc } | 7896 | | | Platforms { | 7897 | | | WINNT::x86 { | 7898 | | | ModuleName { "Example | 7899 | | | Module" } | 7900 | | | ModuleFile { | 7901 | | | win32/fort32.dll } | 7902 | | | | 7903 | | | DefaultMechanismFlags{0x0001} | 7904 | | | | 7905 | | | DefaultCipherFlags{0x0001} | 7906 | | | Files { | 7907 | | | win32/setup.exe { | 7908 | | | Executable | 7909 | | | RelativePath { | 7910 | | | %temp%/setup.exe } | 7911 | | | } | 7912 | | | win32/setup.hlp { | 7913 | | | RelativePath { | 7914 | | | %temp%/setup.hlp } | 7915 | | | } | 7916 | | | win32/setup.cab { | 7917 | | | RelativePath { | 7918 | | | %temp%/setup.cab } | 7919 | | | } | 7920 | | | } | 7921 | | | } | 7922 | | | WIN95::x86 { | 7923 | | | EquivalentPlatform | 7924 | | | {WINNT::x86} | 7925 | | | } | 7926 | | | SUNOS:5.5.1:sparc { | 7927 | | | ModuleName { "Example | 7928 | | | UNIX Module" } | 7929 | | | ModuleFile { | 7930 | | | unix/fort.so } | 7931 | | | | 7932 | | | DefaultMechanismFlags{0x0001} | 7933 | | | | 7934 | | | CipherEnableFlags{0x0001} | 7935 | | | Files { | 7936 | | | unix/fort.so { | 7937 | | | | 7938 | | | Re | 7939 | | | lativePath{%root%/lib/fort.so} | 7940 | | | | 7941 | | | AbsolutePath{/u | 7942 | | | sr/local/netscape/lib/fort.so} | 7943 | | | | 7944 | | | FilePermissions{555} | 7945 | | | } | 7946 | | | xplat/instr.html { | 7947 | | | | 7948 | | | Relat | 7949 | | | ivePath{%root%/docs/inst.html} | 7950 | | | | 7951 | | | AbsolutePath{/usr/ | 7952 | | | local/netscape/docs/inst.html} | 7953 | | | | 7954 | | | FilePermissions{555} | 7955 | | | } | 7956 | | | } | 7957 | | | } | 7958 | | | IRIX:6.2:mips { | 7959 | | | EquivalentPlatform { | 7960 | | | SUNOS:5.5.1:sparc } | 7961 | | | } | 7962 | | | } | 7963 | | | Script Grammar | 7964 | | | The script is basic Java, | 7965 | | | allowing lists, key-value | 7966 | | | pairs, strings, and | 7967 | | | combinations of all of | 7968 | | | them. | 7969 | | | --> valuelist | 7970 | | | valuelist --> value valuelist | 7971 | | | <null> | 7972 | | | value ---> key_value_pair | 7973 | | | string | 7974 | | | key_value_pair --> key { | 7975 | | | valuelist } | 7976 | | | key --> string | 7977 | | | string --> simple_string | 7978 | | | "complex_string" | 7979 | | | simple_string --> [^ | 7980 | | | \\t\n\""{""}"]+ | 7981 | | | complex_string --> | 7982 | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | 7983 | | | Quotes and backslashes must | 7984 | | | be escaped with a backslash. A | 7985 | | | complex string | 7986 | | | must not include newlines | 7987 | | | or carriage returns.Outside of | 7988 | | | complex strings, | 7989 | | | all white space (for | 7990 | | | example, spaces, tabs, and | 7991 | | | carriage returns) is | 7992 | | | considered equal and is | 7993 | | | used only to delimit tokens. | 7994 | | | Keys | 7995 | | | The Java install file uses | 7996 | | | keys to define the platform | 7997 | | | and module | 7998 | | | information. | 7999 | | | ForwardCompatible gives a | 8000 | | | list of platforms that are | 8001 | | | forward compatible. | 8002 | | | If the current platform | 8003 | | | cannot be found in the list of | 8004 | | | supported | 8005 | | | platforms, then the | 8006 | | | ForwardCompatible list is | 8007 | | | checked for any platforms | 8008 | | | that have the same OS and | 8009 | | | architecture in an earlier | 8010 | | | version. If one is | 8011 | | | found, its attributes are | 8012 | | | used for the current platform. | 8013 | | | Platforms (required) Gives | 8014 | | | a list of platforms. Each | 8015 | | | entry in the list is | 8016 | | | itself a key-value pair: | 8017 | | | the key is the name of the | 8018 | | | platform and the value | 8019 | | | list contains various | 8020 | | | attributes of the platform. | 8021 | | | The platform string is | 8022 | | | in the format system | 8023 | | | name:OS release:architecture. | 8024 | | | The installer obtains | 8025 | | | these values from NSPR. OS | 8026 | | | release is an empty string on | 8027 | | | non-Unix | 8028 | | | operating systems. NSPR | 8029 | | | supports these platforms: | 8030 | | | o AIX (rs6000) | 8031 | | | o BSDI (x86) | 8032 | | | o FREEBSD (x86) | 8033 | | | o HPUX (hppa1.1) | 8034 | | | o IRIX (mips) | 8035 | | | o LINUX (ppc, alpha, x86) | 8036 | | | o MacOS (PowerPC) | 8037 | | | o NCR (x86) | 8038 | | | o NEC (mips) | 8039 | | | o OS2 (x86) | 8040 | | | o OSF (alpha) | 8041 | | | o ReliantUNIX (mips) | 8042 | | | o SCO (x86) | 8043 | | | o SOLARIS (sparc) | 8044 | | | o SONY (mips) | 8045 | | | o SUNOS (sparc) | 8046 | | | o UnixWare (x86) | 8047 | | | o WIN16 (x86) | 8048 | | | o WIN95 (x86) | 8049 | | | o WINNT (x86) | 8050 | | | For example: | 8051 | | | IRIX:6.2:mips | 8052 | | | SUNOS:5.5.1:sparc | 8053 | | | Linux:2.0.32:x86 | 8054 | | | WIN95::x86 | 8055 | | | The module information is | 8056 | | | defined independently for each | 8057 | | | platform in the | 8058 | | | ModuleName, ModuleFile, and | 8059 | | | Files attributes. These | 8060 | | | attributes must be | 8061 | | | given unless an | 8062 | | | EquivalentPlatform attribute | 8063 | | | is specified. | 8064 | | | Per-Platform Keys | 8065 | | | Per-platform keys have | 8066 | | | meaning only within the value | 8067 | | | list of an entry in | 8068 | | | the Platforms list. | 8069 | | | ModuleName (required) gives | 8070 | | | the common name for the | 8071 | | | module. This name is | 8072 | | | used to reference the | 8073 | | | module by servers and by the | 8074 | | | modutil tool. | 8075 | | | ModuleFile (required) names | 8076 | | | the PKCS #11 module file for | 8077 | | | this platform. | 8078 | | | The name is given as the | 8079 | | | relative path of the file | 8080 | | | within the JAR archive. | 8081 | | | Files (required) lists the | 8082 | | | files that need to be | 8083 | | | installed for this | 8084 | | | module. Each entry in the | 8085 | | | file list is a key-value pair. | 8086 | | | The key is the | 8087 | | | path of the file in the JAR | 8088 | | | archive, and the value list | 8089 | | | contains | 8090 | | | attributes of the file. At | 8091 | | | least RelativePath or | 8092 | | | AbsolutePath must be | 8093 | | | specified for each file. | 8094 | | | DefaultMechanismFlags | 8095 | | | specifies mechanisms for which | 8096 | | | this module is the | 8097 | | | default provider; this is | 8098 | | | equivalent to the -mechanism | 8099 | | | option with the | 8100 | | | -add command. This | 8101 | | | key-value pair is a bitstring | 8102 | | | specified in hexadecimal | 8103 | | | (0x) format. It is | 8104 | | | constructed as a bitwise OR. | 8105 | | | If the | 8106 | | | DefaultMechanismFlags entry | 8107 | | | is omitted, the value defaults | 8108 | | | to 0x0. | 8109 | | | RSA: | 8110 | | | 0x00000001 | 8111 | | | DSA: | 8112 | | | 0x00000002 | 8113 | | | RC2: | 8114 | | | 0x00000004 | 8115 | | | RC4: | 8116 | | | 0x00000008 | 8117 | | | DES: | 8118 | | | 0x00000010 | 8119 | | | DH: | 8120 | | | 0x00000020 | 8121 | | | FORTEZZA: | 8122 | | | 0x00000040 | 8123 | | | RC5: | 8124 | | | 0x00000080 | 8125 | | | SHA1: | 8126 | | | 0x00000100 | 8127 | | | MD5: | 8128 | | | 0x00000200 | 8129 | | | MD2: | 8130 | | | 0x00000400 | 8131 | | | RANDOM: | 8132 | | | 0x08000000 | 8133 | | | FRIENDLY: | 8134 | | | 0x10000000 | 8135 | | | OWN_PW_DEFAULTS: | 8136 | | | 0x20000000 | 8137 | | | DISABLE: | 8138 | | | 0x40000000 | 8139 | | | CipherEnableFlags specifies | 8140 | | | ciphers that this module | 8141 | | | provides that NSS | 8142 | | | does not provide (so that | 8143 | | | the module enables those | 8144 | | | ciphers for NSS). This | 8145 | | | is equivalent to the | 8146 | | | -cipher argument with the -add | 8147 | | | command. This key is a | 8148 | | | bitstring specified in | 8149 | | | hexadecimal (0x) format. It is | 8150 | | | constructed as a | 8151 | | | bitwise OR. If the | 8152 | | | CipherEnableFlags entry is | 8153 | | | omitted, the value defaults | 8154 | | | to 0x0. | 8155 | | | EquivalentPlatform | 8156 | | | specifies that the attributes | 8157 | | | of the named platform | 8158 | | | should also be used for the | 8159 | | | current platform. This makes | 8160 | | | it easier when | 8161 | | | more than one platform uses | 8162 | | | the same settings. | 8163 | | | Per-File Keys | 8164 | | | Some keys have meaning only | 8165 | | | within the value list of an | 8166 | | | entry in a Files | 8167 | | | list. | 8168 | | | Each file requires a path | 8169 | | | key the identifies where the | 8170 | | | file is. Either | 8171 | | | RelativePath or | 8172 | | | AbsolutePath must be | 8173 | | | specified. If both are | 8174 | | | specified, the | 8175 | | | relative path is tried | 8176 | | | first, and the absolute path | 8177 | | | is used only if no | 8178 | | | relative root directory is | 8179 | | | provided by the installer | 8180 | | | program. | 8181 | | | RelativePath specifies the | 8182 | | | destination directory of the | 8183 | | | file, relative to | 8184 | | | some directory decided at | 8185 | | | install time. Two variables | 8186 | | | can be used in the | 8187 | | | relative path: %root% and | 8188 | | | %temp%. %root% is replaced at | 8189 | | | run time with the | 8190 | | | directory relative to which | 8191 | | | files should be installed; for | 8192 | | | example, it may | 8193 | | | be the server's root | 8194 | | | directory. The %temp% | 8195 | | | directory is created at the | 8196 | | | beginning of the | 8197 | | | installation and destroyed at | 8198 | | | the end. The purpose of | 8199 | | | %temp% is to hold | 8200 | | | executable files (such as | 8201 | | | setup programs) or files that | 8202 | | | are used by these programs. | 8203 | | | Files destined for the | 8204 | | | temporary directory are | 8205 | | | guaranteed to be in place | 8206 | | | before any executable file is | 8207 | | | run; they are not | 8208 | | | deleted until all | 8209 | | | executable files have | 8210 | | | finished. | 8211 | | | AbsolutePath specifies the | 8212 | | | destination directory of the | 8213 | | | file as an | 8214 | | | absolute path. | 8215 | | | Executable specifies that | 8216 | | | the file is to be executed | 8217 | | | during the course of | 8218 | | | the installation. | 8219 | | | Typically, this string is used | 8220 | | | for a setup program | 8221 | | | provided by a module | 8222 | | | vendor, such as a | 8223 | | | self-extracting setup | 8224 | | | executable. | 8225 | | | More than one file can be | 8226 | | | specified as executable, in | 8227 | | | which case the files | 8228 | | | are run in the order in | 8229 | | | which they are specified in | 8230 | | | the script file. | 8231 | | | FilePermissions sets | 8232 | | | permissions on any referenced | 8233 | | | files in a string of | 8234 | | | octal digits, according to | 8235 | | | the standard Unix format. This | 8236 | | | string is a | 8237 | | | bitwise OR. | 8238 | | | user read: | 8239 | | | 0400 | 8240 | | | user write: | 8241 | | | 0200 | 8242 | | | user execute: | 8243 | | | 0100 | 8244 | | | group read: | 8245 | | | 0040 | 8246 | | | group write: | 8247 | | | 0020 | 8248 | | | group execute: | 8249 | | | 0010 | 8250 | | | other read: | 8251 | | | 0004 | 8252 | | | other write: | 8253 | | | 0002 | 8254 | | | other execute: 0001 | 8255 | | | Some platforms may not | 8256 | | | understand these permissions. | 8257 | | | They are applied only | 8258 | | | insofar as they make sense | 8259 | | | for the current platform. If | 8260 | | | this attribute is | 8261 | | | omitted, a default of 777 | 8262 | | | is assumed. | 8263 | | | NSS Database Types | 8264 | | | NSS originally used | 8265 | | | BerkeleyDB databases to store | 8266 | | | security information. | 8267 | | | The last versions of these | 8268 | | | legacy databases are: | 8269 | | | o cert8.db for | 8270 | | | certificates | 8271 | | | o key3.db for keys | 8272 | | | o secmod.db for PKCS #11 | 8273 | | | module information | 8274 | | | BerkeleyDB has performance | 8275 | | | limitations, though, which | 8276 | | | prevent it from | 8277 | | | being easily used by | 8278 | | | multiple applications | 8279 | | | simultaneously. NSS has some | 8280 | | | flexibility that allows | 8281 | | | applications to use their own, | 8282 | | | independent | 8283 | | | database engine while | 8284 | | | keeping a shared database and | 8285 | | | working around the | 8286 | | | access issues. Still, NSS | 8287 | | | requires more flexibility to | 8288 | | | provide a truly | 8289 | | | shared security database. | 8290 | | | In 2009, NSS introduced a | 8291 | | | new set of databases that are | 8292 | | | SQLite databases | 8293 | | | rather than BerkleyDB. | 8294 | | | These new databases provide | 8295 | | | more accessibility and | 8296 | | | performance: | 8297 | | | o cert9.db for | 8298 | | | certificates | 8299 | | | o key4.db for keys | 8300 | | | o pkcs11.txt, which is | 8301 | | | listing of all of the PKCS #11 | 8302 | | | modules contained | 8303 | | | in a new subdirectory | 8304 | | | in the security databases | 8305 | | | directory | 8306 | | | Because the SQLite | 8307 | | | databases are designed to be | 8308 | | | shared, these are the | 8309 | | | shared database type. The | 8310 | | | shared database type is | 8311 | | | preferred; the legacy | 8312 | | | format is included for | 8313 | | | backward compatibility. | 8314 | | | By default, the tools | 8315 | | | (certutil, pk12util, modutil) | 8316 | | | assume that the given | 8317 | | | security databases follow | 8318 | | | the more common legacy type. | 8319 | | | Using the SQLite | 8320 | | | databases must be manually | 8321 | | | specified by using the sql: | 8322 | | | prefix with the | 8323 | | | given security directory. | 8324 | | | For example: | 8325 | | | modutil -create -dbdir | 8326 | | | sql:/home/my/sharednssdb | 8327 | | | To set the shared database | 8328 | | | type as the default type for | 8329 | | | the tools, set the | 8330 | | | NSS_DEFAULT_DB_TYPE | 8331 | | | environment variable to sql: | 8332 | | | export | 8333 | | | NSS_DEFAULT_DB_TYPE="sql" | 8334 | | | This line can be set added | 8335 | | | to the ~/.bashrc file to make | 8336 | | | the change | 8337 | | | permanent. | 8338 | | | Most applications do not | 8339 | | | use the shared database by | 8340 | | | default, but they can | 8341 | | | be configured to use them. | 8342 | | | For example, this how-to | 8343 | | | article covers how to | 8344 | | | configure Firefox and | 8345 | | | Thunderbird to use the new | 8346 | | | shared NSS databases: | 8347 | | | | 8348 | | | o https://wiki.m | 8349 | | | ozilla.org/NSS_Shared_DB_Howto | 8350 | | | For an engineering draft on | 8351 | | | the changes in the shared NSS | 8352 | | | databases, see | 8353 | | | the NSS project wiki: | 8354 | | | | 8355 | | | o https:// | 8356 | | | wiki.mozilla.org/NSS_Shared_DB | 8357 | | | See Also | 8358 | | | certutil (1) | 8359 | | | pk12util (1) | 8360 | | | signtool (1) | 8361 | | | The NSS wiki has | 8362 | | | information on the new | 8363 | | | database design and how to | 8364 | | | configure applications to | 8365 | | | use it. | 8366 | | | | 8367 | | | o https://wiki.m | 8368 | | | ozilla.org/NSS_Shared_DB_Howto | 8369 | | | | 8370 | | | o https:// | 8371 | | | wiki.mozilla.org/NSS_Shared_DB | 8372 | | | Additional Resources | 8373 | | | For information about NSS | 8374 | | | and other tools related to NSS | 8375 | | | (like JSS), check | 8376 | | | out the NSS project wiki at | 8377 | | | | 8378 | | | [2]\ `http://www.mozil | 8379 | | | la.org/projects/security/pki/n | 8380 | | | ss/ <https://www.mozilla.org/p | 8381 | | | rojects/security/pki/nss/>`__. | 8382 | | | The NSS site relates | 8383 | | | directly to NSS code | 8384 | | | changes and releases. | 8385 | | | Mailing lists: | 8386 | | | https://lists.mozill | 8387 | | | a.org/listinfo/dev-tech-crypto | 8388 | | | IRC: Freenode at | 8389 | | | #dogtag-pki | 8390 | | | Authors | 8391 | | | The NSS tools were written | 8392 | | | and maintained by developers | 8393 | | | with Netscape, Red | 8394 | | | Hat, and Sun. | 8395 | | | Authors: Elio Maldonado | 8396 | | | <emaldona@redhat.com>, Deon | 8397 | | | Lackey | 8398 | | | <dlackey@redhat.com>. | 8399 | | | Copyright | 8400 | | | (c) 2010, Red Hat, Inc. | 8401 | | | Licensed under the GNU Public | 8402 | | | License version 2. | 8403 | | | References | 8404 | | | Visible links | 8405 | | | 1. JAR Installation File | 8406 | | | Format | 8407 | | | | 8408 | | | ``file:///tmp/xmlto.6gGxS0/ | 8409 | | | modutil.pro...r-install-file`` | 8410 | | | 2. | 8411 | | | https://www.mozilla. | 8412 | | | org/projects/security/pki/nss/ | 8413 +--------------------------------+--------------------------------+--------------------------------+ 8414 | | | | 8415 +--------------------------------+--------------------------------+--------------------------------+ 8416 | 342 | :ref:`mozilla_projects_nss_t | | 8417 | | ools_nss_tools_certutil-tasks` | | 8418 +--------------------------------+--------------------------------+--------------------------------+ 8419 | | | Newsgroup: | 8420 | | | `mozilla.dev.tech | 8421 | | | .crypto <news://news.mozilla.o | 8422 | | | rg/mozilla.dev.tech.crypto>`__ | 8423 +--------------------------------+--------------------------------+--------------------------------+ 8424 | | | | 8425 +--------------------------------+--------------------------------+--------------------------------+ 8426 | 343 | :ref:`mozilla_projects | **certificates, x509v3** | 8427 | | _nss_tools_nss_tools_certutil` | | 8428 +--------------------------------+--------------------------------+--------------------------------+ 8429 | | | The Certificate Database Tool | 8430 | | | is a command-line utility that | 8431 | | | can create and modify the | 8432 | | | Netscape Communicator | 8433 | | | ``cert8.db`` and | 8434 | | | ``key3.db``\ database files. | 8435 | | | It can also list, generate, | 8436 | | | modify, or delete certificates | 8437 | | | within the ``cert8.db``\ file | 8438 | | | and create or change the | 8439 | | | password, generate new public | 8440 | | | and private key pairs, display | 8441 | | | the contents of the key | 8442 | | | database, or delete key pairs | 8443 | | | within the ``key3.db`` file. | 8444 +--------------------------------+--------------------------------+--------------------------------+ 8445 | | | | 8446 +--------------------------------+--------------------------------+--------------------------------+ 8447 | 344 | :ref:`mozilla_project | | 8448 | | s_nss_tools_nss_tools_cmsutil` | | 8449 +--------------------------------+--------------------------------+--------------------------------+ 8450 | | | The cmsutil command-line | 8451 | | | utility uses the `S/MIME | 8452 | | | Toolkit <../smime/>`__ to | 8453 | | | perform basic operations, such | 8454 | | | as encryption and decryption, | 8455 | | | on `Cryptographic Message | 8456 | | | Syntax (CMS) <http://ww | 8457 | | | w.ietf.org/rfc/rfc2630.txt>`__ | 8458 | | | messages. | 8459 +--------------------------------+--------------------------------+--------------------------------+ 8460 | | | | 8461 +--------------------------------+--------------------------------+--------------------------------+ 8462 | 345 | :ref:`mozilla_project | | 8463 | | s_nss_tools_nss_tools_crlutil` | | 8464 +--------------------------------+--------------------------------+--------------------------------+ 8465 | | | Newsgroup: | 8466 | | | `mozilla.dev.tech | 8467 | | | .crypto <news://news.mozilla.o | 8468 | | | rg/mozilla.dev.tech.crypto>`__ | 8469 +--------------------------------+--------------------------------+--------------------------------+ 8470 | | | | 8471 +--------------------------------+--------------------------------+--------------------------------+ 8472 | 346 | :ref:`mozilla_projects_n | | 8473 | | ss_tools_nss_tools_dbck-tasks` | | 8474 +--------------------------------+--------------------------------+--------------------------------+ 8475 | | | Newsgroup: | 8476 | | | `mozilla.dev.tech | 8477 | | | .crypto <news://news.mozilla.o | 8478 | | | rg/mozilla.dev.tech.crypto>`__ | 8479 +--------------------------------+--------------------------------+--------------------------------+ 8480 | | | | 8481 +--------------------------------+--------------------------------+--------------------------------+ 8482 | 347 | :ref:`mozilla_projects_nss_ | | 8483 | | tools_nss_tools_modutil-tasks` | | 8484 +--------------------------------+--------------------------------+--------------------------------+ 8485 | | | Newsgroup: | 8486 | | | `mozilla.dev.tech | 8487 | | | .crypto <news://news.mozilla.o | 8488 | | | rg/mozilla.dev.tech.crypto>`__ | 8489 +--------------------------------+--------------------------------+--------------------------------+ 8490 | | | | 8491 +--------------------------------+--------------------------------+--------------------------------+ 8492 | 348 | :ref:`mozilla_project | | 8493 | | s_nss_tools_nss_tools_modutil` | | 8494 +--------------------------------+--------------------------------+--------------------------------+ 8495 | | | The Security Module Database | 8496 | | | Tool is a command-line utility | 8497 | | | for managing PKCS #11 module | 8498 | | | information within | 8499 | | | ``secmod.db`` files or within | 8500 | | | hardware tokens. You can use | 8501 | | | the tool to add and delete | 8502 | | | PKCS #11 modules, change | 8503 | | | passwords, set defaults, list | 8504 | | | module contents, enable or | 8505 | | | disable slots, enable or | 8506 | | | disable FIPS 140-2 compliance, | 8507 | | | and assign default providers | 8508 | | | for cryptographic operations. | 8509 | | | This tool can also create | 8510 | | | ``key3.db``, ``cert8.db``, and | 8511 | | | ``secmod.db`` security | 8512 | | | database files. | 8513 +--------------------------------+--------------------------------+--------------------------------+ 8514 | | | | 8515 +--------------------------------+--------------------------------+--------------------------------+ 8516 | 349 | :ref:`mozilla_projects_nss_t | | 8517 | | ools_nss_tools_pk12util-tasks` | | 8518 +--------------------------------+--------------------------------+--------------------------------+ 8519 | | | Newsgroup: | 8520 | | | `mozilla.dev.tech | 8521 | | | .crypto <news://news.mozilla.o | 8522 | | | rg/mozilla.dev.tech.crypto>`__ | 8523 +--------------------------------+--------------------------------+--------------------------------+ 8524 | | | | 8525 +--------------------------------+--------------------------------+--------------------------------+ 8526 | 350 | :ref:`mozilla_projects | | 8527 | | _nss_tools_nss_tools_pk12util` | | 8528 +--------------------------------+--------------------------------+--------------------------------+ 8529 | | | The PKCS #12 utility makes | 8530 | | | sharing of certificates among | 8531 | | | Enterprise server 3.x and any | 8532 | | | server (Netscape products or | 8533 | | | non-Netscape products) that | 8534 | | | supports PKCS#12 possible. The | 8535 | | | tool allows you to import | 8536 | | | certificates and keys from | 8537 | | | pkcs #12 files into NSS or | 8538 | | | export them and also list | 8539 | | | certificates and keys in such | 8540 | | | files. | 8541 +--------------------------------+--------------------------------+--------------------------------+ 8542 | | | | 8543 +--------------------------------+--------------------------------+--------------------------------+ 8544 | 351 | :ref:`mozilla_projects_nss_ | | 8545 | | tools_nss_tools_signver-tasks` | | 8546 +--------------------------------+--------------------------------+--------------------------------+ 8547 | | | *No summary!* | 8548 +--------------------------------+--------------------------------+--------------------------------+ 8549 | | | | 8550 +--------------------------------+--------------------------------+--------------------------------+ 8551 | 352 | :ref:`mozilla_projects_ns | | 8552 | | s_tools_nss_tools_sslstrength` | | 8553 +--------------------------------+--------------------------------+--------------------------------+ 8554 | | | A simple command-line client | 8555 | | | which connects to an | 8556 | | | SSL-server, and reports back | 8557 | | | the encryption cipher and | 8558 | | | strength used. | 8559 +--------------------------------+--------------------------------+--------------------------------+ 8560 | | | | 8561 +--------------------------------+--------------------------------+--------------------------------+ 8562 | 353 | :ref:`mozilla_projec | | 8563 | | ts_nss_tools_nss_tools_ssltap` | | 8564 +--------------------------------+--------------------------------+--------------------------------+ 8565 | | | The SSL Debugging Tool is an | 8566 | | | SSL-aware command-line proxy. | 8567 | | | It watches TCP connections and | 8568 | | | displays the data going by. If | 8569 | | | a connection is SSL, the data | 8570 | | | display includes interpreted | 8571 | | | SSL records and handshaking. | 8572 +--------------------------------+--------------------------------+--------------------------------+ 8573 | | | | 8574 +--------------------------------+--------------------------------+--------------------------------+ 8575 | 354 | :ref:`mozill | | 8576 | | a_projects_nss_tools_pk12util` | | 8577 +--------------------------------+--------------------------------+--------------------------------+ 8578 | | | Name | 8579 | | | pk12util — Export and | 8580 | | | import keys and certificate to | 8581 | | | or from a PKCS #12 | 8582 | | | file and the NSS database | 8583 | | | Synopsis | 8584 | | | pk12util [-i p12File [-h | 8585 | | | tokenname] [-v] | 8586 | | | [common-options] ] [ -l | 8587 | | | p12File | 8588 | | | [-h tokenname] [-r] | 8589 | | | [common-options] ] [ -o | 8590 | | | p12File -n certname [-c | 8591 | | | keyCipher] [-C certCipher] | 8592 | | | [-m|--key_len keyLen] | 8593 | | | [-n|--cert_key_len | 8594 | | | certKeyLen] | 8595 | | | [common-options] ] [ | 8596 | | | common-options are: [-d | 8597 | | | [sql:]directory] | 8598 | | | [-P dbprefix] [-k | 8599 | | | slotPasswordFile|-K | 8600 | | | slotPassword] [-w | 8601 | | | p12filePasswordFile|-W | 8602 | | | p12filePassword] ] | 8603 | | | Description | 8604 | | | The PKCS #12 utility, | 8605 | | | pk12util, enables sharing | 8606 | | | certificates among any | 8607 | | | server that supports | 8608 | | | PKCS#12. The tool can import | 8609 | | | certificates and keys | 8610 | | | from PKCS#12 files into | 8611 | | | security databases, export | 8612 | | | certificates, and list | 8613 | | | certificates and keys. | 8614 | | | Options and Arguments | 8615 | | | Options | 8616 | | | -i p12file | 8617 | | | Import keys and | 8618 | | | certificates from a PKCS#12 | 8619 | | | file into a security | 8620 | | | database. | 8621 | | | -l p12file | 8622 | | | List the keys and | 8623 | | | certificates in PKCS#12 file. | 8624 | | | -o p12file | 8625 | | | Export keys and | 8626 | | | certificates from the security | 8627 | | | database to a | 8628 | | | PKCS#12 file. | 8629 | | | Arguments | 8630 | | | -n certname | 8631 | | | Specify the | 8632 | | | nickname of the cert and | 8633 | | | private key to export. | 8634 | | | -d [sql:]directory | 8635 | | | Specify the | 8636 | | | database directory into which | 8637 | | | to import to or export | 8638 | | | from certificates | 8639 | | | and keys. | 8640 | | | pk12util supports | 8641 | | | two types of databases: the | 8642 | | | legacy security | 8643 | | | databases | 8644 | | | (cert8.db, key3.db, and | 8645 | | | secmod.db) and new SQLite | 8646 | | | databases | 8647 | | | (cert9.db, key4.db, and | 8648 | | | pkcs11.txt). If the prefix | 8649 | | | sql: | 8650 | | | is not used, then | 8651 | | | the tool assumes that the | 8652 | | | given databases are in | 8653 | | | the old format. | 8654 | | | -P prefix | 8655 | | | Specify the prefix | 8656 | | | used on the certificate and | 8657 | | | key databases. This | 8658 | | | option is provided | 8659 | | | as a special case. Changing | 8660 | | | the names of the | 8661 | | | certificate and key | 8662 | | | databases is not recommended. | 8663 | | | -h tokenname | 8664 | | | Specify the name of | 8665 | | | the token to import into or | 8666 | | | export from. | 8667 | | | -v | 8668 | | | Enable debug | 8669 | | | logging when importing. | 8670 | | | -k slotPasswordFile | 8671 | | | Specify the text | 8672 | | | file containing the slot's | 8673 | | | password. | 8674 | | | -K slotPassword | 8675 | | | Specify the slot's | 8676 | | | password. | 8677 | | | -w p12filePasswordFile | 8678 | | | Specify the text | 8679 | | | file containing the pkcs #12 | 8680 | | | file password. | 8681 | | | -W p12filePassword | 8682 | | | Specify the pkcs | 8683 | | | #12 file password. | 8684 | | | -c keyCipher | 8685 | | | Specify the key | 8686 | | | encryption algorithm. | 8687 | | | -C certCipher | 8688 | | | Specify the key | 8689 | | | cert (overall package) | 8690 | | | encryption algorithm. | 8691 | | | -m \| --key-len keyLength | 8692 | | | Specify the desired | 8693 | | | length of the symmetric key to | 8694 | | | be used to | 8695 | | | encrypt the private | 8696 | | | key. | 8697 | | | -n \| --cert-key-len | 8698 | | | certKeyLength | 8699 | | | Specify the desired | 8700 | | | length of the symmetric key to | 8701 | | | be used to | 8702 | | | encrypt the | 8703 | | | certificates and other | 8704 | | | meta-data. | 8705 | | | -r | 8706 | | | Dumps all of the | 8707 | | | data in raw (binary) form. | 8708 | | | This must be saved as | 8709 | | | a DER file. The | 8710 | | | default is to return | 8711 | | | information in a pretty-print | 8712 | | | ASCII format, which | 8713 | | | displays the information about | 8714 | | | the | 8715 | | | certificates and | 8716 | | | public keys in the p12 file. | 8717 | | | Return Codes | 8718 | | | o 0 - No error | 8719 | | | o 1 - User Cancelled | 8720 | | | o 2 - Usage error | 8721 | | | o 6 - NLS init error | 8722 | | | o 8 - Certificate DB open | 8723 | | | error | 8724 | | | o 9 - Key DB open error | 8725 | | | o 10 - File | 8726 | | | initialization error | 8727 | | | o 11 - Unicode conversion | 8728 | | | error | 8729 | | | o 12 - Temporary file | 8730 | | | creation error | 8731 | | | o 13 - PKCS11 get slot | 8732 | | | error | 8733 | | | o 14 - PKCS12 decoder | 8734 | | | start error | 8735 | | | o 15 - error read from | 8736 | | | import file | 8737 | | | o 16 - pkcs12 decode | 8738 | | | error | 8739 | | | o 17 - pkcs12 decoder | 8740 | | | verify error | 8741 | | | o 18 - pkcs12 decoder | 8742 | | | validate bags error | 8743 | | | o 19 - pkcs12 decoder | 8744 | | | import bags error | 8745 | | | o 20 - key db conversion | 8746 | | | version 3 to version 2 error | 8747 | | | o 21 - cert db conversion | 8748 | | | version 7 to version 5 error | 8749 | | | o 22 - cert and key dbs | 8750 | | | patch error | 8751 | | | o 23 - get default cert | 8752 | | | db error | 8753 | | | o 24 - find cert by | 8754 | | | nickname error | 8755 | | | o 25 - create export | 8756 | | | context error | 8757 | | | o 26 - PKCS12 add | 8758 | | | password itegrity error | 8759 | | | o 27 - cert and key Safes | 8760 | | | creation error | 8761 | | | o 28 - PKCS12 add cert | 8762 | | | and key error | 8763 | | | o 29 - PKCS12 encode | 8764 | | | error | 8765 | | | Examples | 8766 | | | Importing Keys and | 8767 | | | Certificates | 8768 | | | The most basic usage of | 8769 | | | pk12util for importing a | 8770 | | | certificate or key is the | 8771 | | | PKCS#12 input file (-i) and | 8772 | | | some way to specify the | 8773 | | | security database | 8774 | | | being accessed (either -d | 8775 | | | for a directory or -h for a | 8776 | | | token). | 8777 | | | pk12util -i p12File [-h | 8778 | | | tokenname] [-v] [-d | 8779 | | | [sql:]directory] [-P dbprefix] | 8780 | | | [-k slotPasswordFile|-K | 8781 | | | slotPassword] [-w | 8782 | | | p12filePasswordFile|-W | 8783 | | | p12filePassword] | 8784 | | | For example: | 8785 | | | # pk12util -i | 8786 | | | /tmp/cert-files/users.p12 -d | 8787 | | | sql:/home/my/sharednssdb | 8788 | | | Enter a password which will | 8789 | | | be used to encrypt your keys. | 8790 | | | The password should be at | 8791 | | | least 8 characters long, | 8792 | | | and should contain at least | 8793 | | | one non-alphabetic character. | 8794 | | | Enter new password: | 8795 | | | Re-enter password: | 8796 | | | Enter password for PKCS12 | 8797 | | | file: | 8798 | | | pk12util: PKCS12 IMPORT | 8799 | | | SUCCESSFUL | 8800 | | | Exporting Keys and | 8801 | | | Certificates | 8802 | | | Using the pk12util command | 8803 | | | to export certificates and | 8804 | | | keys requires both | 8805 | | | the name of the certificate | 8806 | | | to extract from the database | 8807 | | | (-n) and the | 8808 | | | PKCS#12-formatted output | 8809 | | | file to write to. There are | 8810 | | | optional parameters | 8811 | | | that can be used to encrypt | 8812 | | | the file to protect the | 8813 | | | certificate material. | 8814 | | | pk12util -o p12File -n | 8815 | | | certname [-c keyCipher] [-C | 8816 | | | certCipher] [-m|--key_len | 8817 | | | keyLen] [-n|--cert_key_len | 8818 | | | certKeyLen] [-d | 8819 | | | [sql:]directory] [-P dbprefix] | 8820 | | | [-k slotPasswordFile|-K | 8821 | | | slotPassword] [-w | 8822 | | | p12filePasswordFile|-W | 8823 | | | p12filePassword] | 8824 | | | For example: | 8825 | | | # pk12util -o certs.p12 -n | 8826 | | | Server-Cert -d | 8827 | | | sql:/home/my/sharednssdb | 8828 | | | Enter password for PKCS12 | 8829 | | | file: | 8830 | | | Re-enter password: | 8831 | | | Listing Keys and | 8832 | | | Certificates | 8833 | | | The information in a .p12 | 8834 | | | file are not human-readable. | 8835 | | | The certificates | 8836 | | | and keys in the file can be | 8837 | | | printed (listed) in a | 8838 | | | human-readable | 8839 | | | pretty-print format that | 8840 | | | shows information for every | 8841 | | | certificate and any | 8842 | | | public keys in the .p12 | 8843 | | | file. | 8844 | | | pk12util -l p12File [-h | 8845 | | | tokenname] [-r] [-d | 8846 | | | [sql:]directory] [-P dbprefix] | 8847 | | | [-k slotPasswordFile|-K | 8848 | | | slotPassword] [-w | 8849 | | | p12filePasswordFile|-W | 8850 | | | p12filePassword] | 8851 | | | For example, this prints | 8852 | | | the default ASCII output: | 8853 | | | # pk12util -l certs.p12 | 8854 | | | Enter password for PKCS12 | 8855 | | | file: | 8856 | | | Key(shrouded): | 8857 | | | Friendly Name: Thawte | 8858 | | | Freemail Member's Thawte | 8859 | | | Consulting (Pty) Ltd. ID | 8860 | | | Encryption algorithm: | 8861 | | | PKCS #12 V2 PBE With SHA-1 And | 8862 | | | 3KEY Triple DES-CBC | 8863 | | | Parameters: | 8864 | | | Salt: | 8865 | | | | 8866 | | | 45:2e:6a:a0:03:4d | 8867 | | | :7b:a1:63:3c:15:ea:67:37:62:1f | 8868 | | | Iteration Count: | 8869 | | | 1 (0x1) | 8870 | | | Certificate: | 8871 | | | Data: | 8872 | | | Version: 3 (0x2) | 8873 | | | Serial Number: 13 | 8874 | | | (0xd) | 8875 | | | Signature Algorithm: | 8876 | | | PKCS #1 SHA-1 With RSA | 8877 | | | Encryption | 8878 | | | Issuer: | 8879 | | | "E=personal | 8880 | | | -freemail@thawte.com,CN=Thawte | 8881 | | | Personal Freemail C | 8882 | | | | 8883 | | | A,OU=Certification Services | 8884 | | | Division,O=Thawte | 8885 | | | Consulting,L=Cape T | 8886 | | | own,ST=Western | 8887 | | | Cape,C=ZA" | 8888 | | | .... | 8889 | | | Alternatively, the -r | 8890 | | | prints the certificates and | 8891 | | | then exports them into | 8892 | | | separate DER binary files. | 8893 | | | This allows the certificates | 8894 | | | to be fed to | 8895 | | | another application that | 8896 | | | supports .p12 files. Each | 8897 | | | certificate is written | 8898 | | | to a sequentially-number | 8899 | | | file, beginning with | 8900 | | | file0001.der and continuing | 8901 | | | through file000N.der, | 8902 | | | incrementing the number for | 8903 | | | every certificate: | 8904 | | | # pk12util -l test.p12 -r | 8905 | | | Enter password for PKCS12 | 8906 | | | file: | 8907 | | | Key(shrouded): | 8908 | | | Friendly Name: Thawte | 8909 | | | Freemail Member's Thawte | 8910 | | | Consulting (Pty) Ltd. ID | 8911 | | | Encryption algorithm: | 8912 | | | PKCS #12 V2 PBE With SHA-1 And | 8913 | | | 3KEY Triple DES-CBC | 8914 | | | Parameters: | 8915 | | | Salt: | 8916 | | | | 8917 | | | 45:2e:6a:a0:03:4d | 8918 | | | :7b:a1:63:3c:15:ea:67:37:62:1f | 8919 | | | Iteration Count: | 8920 | | | 1 (0x1) | 8921 | | | Certificate Friendly Name: | 8922 | | | Thawte Personal Freemail | 8923 | | | Issuing CA - Thawte Consulting | 8924 | | | Certificate Friendly Name: | 8925 | | | Thawte Freemail Member's | 8926 | | | Thawte Consulting (Pty) Ltd. | 8927 | | | ID | 8928 | | | Password Encryption | 8929 | | | PKCS#12 provides for not | 8930 | | | only the protection of the | 8931 | | | private keys but also | 8932 | | | the certificate and | 8933 | | | meta-data associated with the | 8934 | | | keys. Password-based | 8935 | | | encryption is used to | 8936 | | | protect private keys on export | 8937 | | | to a PKCS#12 file | 8938 | | | and, optionally, the entire | 8939 | | | package. If no algorithm is | 8940 | | | specified, the | 8941 | | | tool defaults to using | 8942 | | | PKCS12 V2 PBE with SHA1 and | 8943 | | | 3KEY Triple DES-cbc for | 8944 | | | private key encryption. | 8945 | | | PKCS12 V2 PBE with SHA1 and 40 | 8946 | | | Bit RC4 is the | 8947 | | | default for the overall | 8948 | | | package encryption when not in | 8949 | | | FIPS mode. When in | 8950 | | | FIPS mode, there is no | 8951 | | | package encryption. | 8952 | | | The private key is always | 8953 | | | protected with strong | 8954 | | | encryption by default. | 8955 | | | Several types of ciphers | 8956 | | | are supported. | 8957 | | | Symmetric CBC ciphers for | 8958 | | | PKCS#5 V2 | 8959 | | | DES_CBC | 8960 | | | o RC2-CBC | 8961 | | | o RC5-CBCPad | 8962 | | | o DES-EDE3-CBC | 8963 | | | (the default for key | 8964 | | | encryption) | 8965 | | | o AES-128-CBC | 8966 | | | o AES-192-CBC | 8967 | | | o AES-256-CBC | 8968 | | | | 8969 | | | o CAMELLIA-128-CBC | 8970 | | | | 8971 | | | o CAMELLIA-192-CBC | 8972 | | | | 8973 | | | o CAMELLIA-256-CBC | 8974 | | | PKCS#12 PBE ciphers | 8975 | | | PKCS #12 PBE with | 8976 | | | Sha1 and 128 Bit RC4 | 8977 | | | o PKCS #12 PBE | 8978 | | | with Sha1 and 40 Bit RC4 | 8979 | | | o PKCS #12 PBE | 8980 | | | with Sha1 and Triple DES CBC | 8981 | | | o PKCS #12 PBE | 8982 | | | with Sha1 and 128 Bit RC2 CBC | 8983 | | | o PKCS #12 PBE | 8984 | | | with Sha1 and 40 Bit RC2 CBC | 8985 | | | o PKCS12 V2 PBE | 8986 | | | with SHA1 and 128 Bit RC4 | 8987 | | | o PKCS12 V2 PBE | 8988 | | | with SHA1 and 40 Bit RC4 (the | 8989 | | | default for | 8990 | | | non-FIPS mode) | 8991 | | | o PKCS12 V2 PBE | 8992 | | | with SHA1 and 3KEY Triple | 8993 | | | DES-cbc | 8994 | | | o PKCS12 V2 PBE | 8995 | | | with SHA1 and 2KEY Triple | 8996 | | | DES-cbc | 8997 | | | o PKCS12 V2 PBE | 8998 | | | with SHA1 and 128 Bit RC2 CBC | 8999 | | | o PKCS12 V2 PBE | 9000 | | | with SHA1 and 40 Bit RC2 CBC | 9001 | | | PKCS#5 PBE ciphers | 9002 | | | PKCS #5 Password | 9003 | | | Based Encryption with MD2 and | 9004 | | | DES CBC | 9005 | | | o PKCS #5 | 9006 | | | Password Based Encryption with | 9007 | | | MD5 and DES CBC | 9008 | | | o PKCS #5 | 9009 | | | Password Based Encryption with | 9010 | | | SHA1 and DES CBC | 9011 | | | With PKCS#12, the crypto | 9012 | | | provider may be the soft token | 9013 | | | module or an | 9014 | | | external hardware module. | 9015 | | | If the cryptographic module | 9016 | | | does not support the | 9017 | | | requested algorithm, then | 9018 | | | the next best fit will be | 9019 | | | selected (usually the | 9020 | | | default). If no suitable | 9021 | | | replacement for the desired | 9022 | | | algorithm can be | 9023 | | | found, the tool returns the | 9024 | | | error no security module can | 9025 | | | perform the | 9026 | | | requested operation. | 9027 | | | NSS Database Types | 9028 | | | NSS originally used | 9029 | | | BerkeleyDB databases to store | 9030 | | | security information. | 9031 | | | The last versions of these | 9032 | | | legacy databases are: | 9033 | | | o cert8.db for | 9034 | | | certificates | 9035 | | | o key3.db for keys | 9036 | | | o secmod.db for PKCS #11 | 9037 | | | module information | 9038 | | | BerkeleyDB has performance | 9039 | | | limitations, though, which | 9040 | | | prevent it from | 9041 | | | being easily used by | 9042 | | | multiple applications | 9043 | | | simultaneously. NSS has some | 9044 | | | flexibility that allows | 9045 | | | applications to use their own, | 9046 | | | independent | 9047 | | | database engine while | 9048 | | | keeping a shared database and | 9049 | | | working around the | 9050 | | | access issues. Still, NSS | 9051 | | | requires more flexibility to | 9052 | | | provide a truly | 9053 | | | shared security database. | 9054 | | | In 2009, NSS introduced a | 9055 | | | new set of databases that are | 9056 | | | SQLite databases | 9057 | | | rather than BerkleyDB. | 9058 | | | These new databases provide | 9059 | | | more accessibility and | 9060 | | | performance: | 9061 | | | o cert9.db for | 9062 | | | certificates | 9063 | | | o key4.db for keys | 9064 | | | o pkcs11.txt, which is | 9065 | | | listing of all of the PKCS #11 | 9066 | | | modules contained | 9067 | | | in a new subdirectory | 9068 | | | in the security databases | 9069 | | | directory | 9070 | | | Because the SQLite | 9071 | | | databases are designed to be | 9072 | | | shared, these are the | 9073 | | | shared database type. The | 9074 | | | shared database type is | 9075 | | | preferred; the legacy | 9076 | | | format is included for | 9077 | | | backward compatibility. | 9078 | | | By default, the tools | 9079 | | | (certutil, pk12util, modutil) | 9080 | | | assume that the given | 9081 | | | security databases follow | 9082 | | | the more common legacy type. | 9083 | | | Using the SQLite | 9084 | | | databases must be manually | 9085 | | | specified by using the sql: | 9086 | | | prefix with the | 9087 | | | given security directory. | 9088 | | | For example: | 9089 | | | # pk12util -i | 9090 | | | /tmp/cert-files/users.p12 -d | 9091 | | | sql:/home/my/sharednssdb | 9092 | | | To set the shared database | 9093 | | | type as the default type for | 9094 | | | the tools, set the | 9095 | | | NSS_DEFAULT_DB_TYPE | 9096 | | | environment variable to sql: | 9097 | | | export | 9098 | | | NSS_DEFAULT_DB_TYPE="sql" | 9099 | | | This line can be set added | 9100 | | | to the ~/.bashrc file to make | 9101 | | | the change | 9102 | | | permanent. | 9103 | | | Most applications do not | 9104 | | | use the shared database by | 9105 | | | default, but they can | 9106 | | | be configured to use them. | 9107 | | | For example, this how-to | 9108 | | | article covers how to | 9109 | | | configure Firefox and | 9110 | | | Thunderbird to use the new | 9111 | | | shared NSS databases: | 9112 | | | | 9113 | | | o https://wiki.m | 9114 | | | ozilla.org/NSS_Shared_DB_Howto | 9115 | | | For an engineering draft on | 9116 | | | the changes in the shared NSS | 9117 | | | databases, see | 9118 | | | the NSS project wiki: | 9119 | | | | 9120 | | | o https:// | 9121 | | | wiki.mozilla.org/NSS_Shared_DB | 9122 | | | See Also | 9123 | | | certutil (1) | 9124 | | | modutil (1) | 9125 | | | The NSS wiki has | 9126 | | | information on the new | 9127 | | | database design and how to | 9128 | | | configure applications to | 9129 | | | use it. | 9130 | | | | 9131 | | | o https://wiki.m | 9132 | | | ozilla.org/NSS_Shared_DB_Howto | 9133 | | | | 9134 | | | o https:// | 9135 | | | wiki.mozilla.org/NSS_Shared_DB | 9136 | | | Additional Resources | 9137 | | | For information about NSS | 9138 | | | and other tools related to NSS | 9139 | | | (like JSS), check | 9140 | | | out the NSS project wiki at | 9141 | | | | 9142 | | | [1]\ `http://www.mozil | 9143 | | | la.org/projects/security/pki/n | 9144 | | | ss/ <https://www.mozilla.org/p | 9145 | | | rojects/security/pki/nss/>`__. | 9146 | | | The NSS site relates | 9147 | | | directly to NSS code | 9148 | | | changes and releases. | 9149 | | | Mailing lists: | 9150 | | | https://lists.mozill | 9151 | | | a.org/listinfo/dev-tech-crypto | 9152 | | | IRC: Freenode at | 9153 | | | #dogtag-pki | 9154 | | | Authors | 9155 | | | The NSS tools were written | 9156 | | | and maintained by developers | 9157 | | | with Netscape, Red | 9158 | | | Hat, and Sun. | 9159 | | | Authors: Elio Maldonado | 9160 | | | <emaldona@redhat.com>, Deon | 9161 | | | Lackey | 9162 | | | <dlackey@redhat.com>. | 9163 | | | Copyright | 9164 | | | (c) 2010, Red Hat, Inc. | 9165 | | | Licensed under the GNU Public | 9166 | | | License version 2. | 9167 | | | References | 9168 | | | Visible links | 9169 | | | 1. | 9170 | | | `http://www.mozi | 9171 | | | lla.org/projects/security/pki/ | 9172 | | | nss/ <https://www.mozilla.org/ | 9173 | | | projects/security/pki/nss/>`__ | 9174 +--------------------------------+--------------------------------+--------------------------------+ 9175 | | | | 9176 +--------------------------------+--------------------------------+--------------------------------+ 9177 | 355 | :ref:`mozill | | 9178 | | a_projects_nss_tools_signtool` | | 9179 +--------------------------------+--------------------------------+--------------------------------+ 9180 | | | Name | 9181 | | | signtool — Digitally sign | 9182 | | | objects and files. | 9183 | | | Synopsis | 9184 | | | signtool [-k keyName] | 9185 | | | `-h <-h>`__ `-H <-H>`__ | 9186 | | | `-l <-l>`__ `-L <-L>`__ | 9187 | | | `-M <-M>`__ `-v <-v>`__ | 9188 | | | `-w <-w>`__ | 9189 | | | `-G | 9190 | | | nickname <-G_nickname>`__ `-s | 9191 | | | size <--keysize>`__ `-b | 9192 | | | basename <-b_basename>`__ [[-c | 9193 | | | Compression | 9194 | | | Level] ] [[-d cert-dir] ] | 9195 | | | [[-i installer script] ] [[-m | 9196 | | | metafile] ] [[-x | 9197 | | | name] ] [[-f filename] ] | 9198 | | | [[-t|--token tokenname] ] [[-e | 9199 | | | extension] ] [[-o] | 9200 | | | ] [[-z] ] [[-X] ] | 9201 | | | [[--outfile] ] [[--verbose | 9202 | | | value] ] [[--norecurse] ] | 9203 | | | [[--leavearc] ] [[-j | 9204 | | | directory] ] [[-Z jarfile] ] | 9205 | | | [[-O] ] [[-p password] ] | 9206 | | | [directory-tree] [archive] | 9207 | | | Description | 9208 | | | The Signing Tool, signtool, | 9209 | | | creates digital signatures and | 9210 | | | uses a Java | 9211 | | | Archive (JAR) file to | 9212 | | | associate the signatures with | 9213 | | | files in a directory. | 9214 | | | Electronic software | 9215 | | | distribution over any network | 9216 | | | involves potential | 9217 | | | security problems. To help | 9218 | | | address some of these | 9219 | | | problems, you can | 9220 | | | associate digital | 9221 | | | signatures with the files in a | 9222 | | | JAR archive. Digital | 9223 | | | signatures allow | 9224 | | | SSL-enabled clients to perform | 9225 | | | two important operations: | 9226 | | | \* Confirm the identity of | 9227 | | | the individual, company, or | 9228 | | | other entity whose | 9229 | | | digital signature is | 9230 | | | associated with the files | 9231 | | | \* Check whether the files | 9232 | | | have been tampered with since | 9233 | | | being signed | 9234 | | | If you have a signing | 9235 | | | certificate, you can use | 9236 | | | Netscape Signing Tool to | 9237 | | | digitally sign files and | 9238 | | | package them as a JAR file. An | 9239 | | | object-signing | 9240 | | | certificate is a special | 9241 | | | kind of certificate that | 9242 | | | allows you to associate | 9243 | | | your digital signature with | 9244 | | | one or more files. | 9245 | | | An individual file can | 9246 | | | potentially be signed with | 9247 | | | multiple digital | 9248 | | | signatures. For example, a | 9249 | | | commercial software developer | 9250 | | | might sign the | 9251 | | | files that constitute a | 9252 | | | software product to prove that | 9253 | | | the files are | 9254 | | | indeed from a particular | 9255 | | | company. A network | 9256 | | | administrator manager might | 9257 | | | sign the same files with an | 9258 | | | additional digital signature | 9259 | | | based on a | 9260 | | | company-generated | 9261 | | | certificate to indicate that | 9262 | | | the product is approved for | 9263 | | | use within the company. | 9264 | | | The significance of a | 9265 | | | digital signature is | 9266 | | | comparable to the significance | 9267 | | | of a handwritten signature. | 9268 | | | Once you have signed a file, | 9269 | | | it is difficult | 9270 | | | to claim later that you | 9271 | | | didn't sign it. In some | 9272 | | | situations, a digital | 9273 | | | signature may be considered | 9274 | | | as legally binding as a | 9275 | | | handwritten signature. | 9276 | | | Therefore, you should take | 9277 | | | great care to ensure that you | 9278 | | | can stand behind | 9279 | | | any file you sign and | 9280 | | | distribute. | 9281 | | | For example, if you are a | 9282 | | | software developer, you should | 9283 | | | test your code to | 9284 | | | make sure it is virus-free | 9285 | | | before signing it. Similarly, | 9286 | | | if you are a | 9287 | | | network administrator, you | 9288 | | | should make sure, before | 9289 | | | signing any code, that | 9290 | | | it comes from a reliable | 9291 | | | source and will run correctly | 9292 | | | with the software | 9293 | | | installed on the machines | 9294 | | | to which you are distributing | 9295 | | | it. | 9296 | | | Before you can use Netscape | 9297 | | | Signing Tool to sign files, | 9298 | | | you must have an | 9299 | | | object-signing certificate, | 9300 | | | which is a special certificate | 9301 | | | whose | 9302 | | | associated private key is | 9303 | | | used to create digital | 9304 | | | signatures. For testing | 9305 | | | purposes only, you can | 9306 | | | create an object-signing | 9307 | | | certificate with Netscape | 9308 | | | Signing Tool 1.3. When | 9309 | | | testing is finished and you | 9310 | | | are ready to | 9311 | | | disitribute your software, | 9312 | | | you should obtain an | 9313 | | | object-signing certificate | 9314 | | | from one of two kinds of | 9315 | | | sources: | 9316 | | | \* An independent | 9317 | | | certificate authority (CA) | 9318 | | | that authenticates your | 9319 | | | identity and charges you a | 9320 | | | fee. You typically get a | 9321 | | | certificate from an | 9322 | | | independent CA if you want | 9323 | | | to sign software that will be | 9324 | | | distributed over | 9325 | | | the Internet. | 9326 | | | \* CA server software | 9327 | | | running on your corporate | 9328 | | | intranet or extranet. | 9329 | | | Netscape Certificate | 9330 | | | Management System provides a | 9331 | | | complete management | 9332 | | | solution for creating, | 9333 | | | deploying, and managing | 9334 | | | certificates, including CAs | 9335 | | | that issue object-signing | 9336 | | | certificates. | 9337 | | | You must also have a | 9338 | | | certificate for the CA that | 9339 | | | issues your signing | 9340 | | | certificate before you can | 9341 | | | sign files. If the certificate | 9342 | | | authority's | 9343 | | | certificate isn't already | 9344 | | | installed in your copy of | 9345 | | | Communicator, you | 9346 | | | typically install it by | 9347 | | | clicking the appropriate link | 9348 | | | on the certificate | 9349 | | | authority's web site, for | 9350 | | | example on the page from which | 9351 | | | you initiated | 9352 | | | enrollment for your signing | 9353 | | | certificate. This is the case | 9354 | | | for some test | 9355 | | | certificates, as well as | 9356 | | | certificates issued by | 9357 | | | Netscape Certificate | 9358 | | | Management System: you must | 9359 | | | download the CA certificate in | 9360 | | | addition to | 9361 | | | obtaining your own signing | 9362 | | | certificate. CA certificates | 9363 | | | for several | 9364 | | | certificate authorities are | 9365 | | | preinstalled in the | 9366 | | | Communicator certificate | 9367 | | | database. | 9368 | | | When you receive an | 9369 | | | object-signing certificate for | 9370 | | | your own use, it is | 9371 | | | automatically installed in | 9372 | | | your copy of the Communicator | 9373 | | | client software. | 9374 | | | Communicator supports the | 9375 | | | public-key cryptography | 9376 | | | standard known as PKCS | 9377 | | | #12, which governs key | 9378 | | | portability. You can, for | 9379 | | | example, move an | 9380 | | | object-signing certificate | 9381 | | | and its associated private key | 9382 | | | from one | 9383 | | | computer to another on a | 9384 | | | credit-card-sized device | 9385 | | | called a smart card. | 9386 | | | Options | 9387 | | | -b basename | 9388 | | | Specifies the base | 9389 | | | filename for the .rsa and .sf | 9390 | | | files in the | 9391 | | | META-INF directory | 9392 | | | to conform with the JAR | 9393 | | | format. For example, -b | 9394 | | | signatures causes | 9395 | | | the files to be named | 9396 | | | signatures.rsa and | 9397 | | | signatures.sf. The | 9398 | | | default is signtool. | 9399 | | | -c# | 9400 | | | Specifies the | 9401 | | | compression level for the -J | 9402 | | | or -Z option. The | 9403 | | | symbol # represents | 9404 | | | a number from 0 to 9, where 0 | 9405 | | | means no | 9406 | | | compression and 9 | 9407 | | | means maximum compression. The | 9408 | | | higher the level | 9409 | | | of compression, the | 9410 | | | smaller the output but the | 9411 | | | longer the | 9412 | | | operation takes. If | 9413 | | | the -c# option is not used | 9414 | | | with either the -J | 9415 | | | or the -Z option, | 9416 | | | the default compression value | 9417 | | | used by both the | 9418 | | | -J and -Z options | 9419 | | | is 6. | 9420 | | | -d certdir | 9421 | | | Specifies your | 9422 | | | certificate database | 9423 | | | directory; that is, the | 9424 | | | directory in which | 9425 | | | you placed your key3.db and | 9426 | | | cert7.db files. To | 9427 | | | specify the current | 9428 | | | directory, use "-d." | 9429 | | | (including the period). | 9430 | | | The Unix version of | 9431 | | | signtool assumes ~/.netscape | 9432 | | | unless told | 9433 | | | otherwise. The NT | 9434 | | | version of signtool always | 9435 | | | requires the use of | 9436 | | | the -d option to | 9437 | | | specify where the database | 9438 | | | files are located. | 9439 | | | -e extension | 9440 | | | Tells signtool to | 9441 | | | sign only files with the given | 9442 | | | extension; for | 9443 | | | example, use | 9444 | | | -e".class" to sign only Java | 9445 | | | class files. Note that | 9446 | | | with Netscape | 9447 | | | Signing Tool version 1.1 and | 9448 | | | later this option can | 9449 | | | appear multiple | 9450 | | | times on one command line, | 9451 | | | making it possible to | 9452 | | | specify multiple | 9453 | | | file types or classes to | 9454 | | | include. | 9455 | | | -f commandfile | 9456 | | | Specifies a text | 9457 | | | file containing Netscape | 9458 | | | Signing Tool options and | 9459 | | | arguments in | 9460 | | | keyword=value format. All | 9461 | | | options and arguments can | 9462 | | | be expressed | 9463 | | | through this file. For more | 9464 | | | information about the | 9465 | | | syntax used with | 9466 | | | this file, see "Tips and | 9467 | | | Techniques". | 9468 | | | -i scriptname | 9469 | | | Specifies the name | 9470 | | | of an installer script for | 9471 | | | SmartUpdate. This | 9472 | | | script installs | 9473 | | | files from the JAR archive in | 9474 | | | the local system | 9475 | | | after SmartUpdate | 9476 | | | has validated the digital | 9477 | | | signature. For more | 9478 | | | details, see the | 9479 | | | description of -m that | 9480 | | | follows. The -i option | 9481 | | | provides a | 9482 | | | straightforward way to provide | 9483 | | | this information if you | 9484 | | | don't need to | 9485 | | | specify any metadata other | 9486 | | | than an installer script. | 9487 | | | -j directory | 9488 | | | Specifies a special | 9489 | | | JavaScript directory. This | 9490 | | | option causes the | 9491 | | | specified directory | 9492 | | | to be signed and tags its | 9493 | | | entries as inline | 9494 | | | JavaScript. This | 9495 | | | special type of entry does not | 9496 | | | have to appear in | 9497 | | | the JAR file | 9498 | | | itself. Instead, it is located | 9499 | | | in the HTML page | 9500 | | | containing the | 9501 | | | inline scripts. When you use | 9502 | | | signtool -v, these | 9503 | | | entries are | 9504 | | | displayed with the string NOT | 9505 | | | PRESENT. | 9506 | | | -k key ... directory | 9507 | | | Specifies the | 9508 | | | nickname (key) of the | 9509 | | | certificate you want to sign | 9510 | | | with and signs the | 9511 | | | files in the specified | 9512 | | | directory. The directory | 9513 | | | to sign is always | 9514 | | | specified as the last | 9515 | | | command-line argument. | 9516 | | | Thus, it is | 9517 | | | possible to write signtool -k | 9518 | | | MyCert -d . signdir You | 9519 | | | may have trouble if | 9520 | | | the nickname contains a single | 9521 | | | quotation mark. | 9522 | | | To avoid problems, | 9523 | | | escape the quotation mark | 9524 | | | using the escape | 9525 | | | conventions for | 9526 | | | your platform. It's also | 9527 | | | possible to use the -k | 9528 | | | option without | 9529 | | | signing any files or | 9530 | | | specifying a directory. For | 9531 | | | example, you can | 9532 | | | use it with the -l option to | 9533 | | | get detailed | 9534 | | | information about a | 9535 | | | particular signing | 9536 | | | certificate. | 9537 | | | -G nickname | 9538 | | | Generates a new | 9539 | | | private-public key pair and | 9540 | | | corresponding | 9541 | | | object-signing | 9542 | | | certificate with the given | 9543 | | | nickname. The newly | 9544 | | | generated keys and | 9545 | | | certificate are installed into | 9546 | | | the key and | 9547 | | | certificate | 9548 | | | databases in the directory | 9549 | | | specified by the -d option. | 9550 | | | With the NT version | 9551 | | | of Netscape Signing Tool, you | 9552 | | | must use the -d | 9553 | | | option with the -G | 9554 | | | option. With the Unix version | 9555 | | | of Netscape | 9556 | | | Signing Tool, | 9557 | | | omitting the -d option causes | 9558 | | | the tool to install | 9559 | | | the keys and | 9560 | | | certificate in the | 9561 | | | Communicator key and | 9562 | | | certificate | 9563 | | | databases. If you | 9564 | | | are installing the keys and | 9565 | | | certificate in the | 9566 | | | Communicator | 9567 | | | databases, you must exit | 9568 | | | Communicator before using | 9569 | | | this option; | 9570 | | | otherwise, you risk corrupting | 9571 | | | the databases. In all | 9572 | | | cases, the | 9573 | | | certificate is also output to | 9574 | | | a file named x509.cacert, | 9575 | | | which has the | 9576 | | | MIME-type | 9577 | | | application/x-x509-ca-cert. | 9578 | | | Unlike | 9579 | | | certificates | 9580 | | | normally used to sign finished | 9581 | | | code to be distributed | 9582 | | | over a network, a | 9583 | | | test certificate created with | 9584 | | | -G is not signed | 9585 | | | by a recognized | 9586 | | | certificate authority. | 9587 | | | Instead, it is self-signed. | 9588 | | | In addition, a | 9589 | | | single test signing | 9590 | | | certificate functions as both | 9591 | | | an object-signing | 9592 | | | certificate and a CA. When you | 9593 | | | are using it to | 9594 | | | sign objects, it | 9595 | | | behaves like an object-signing | 9596 | | | certificate. When | 9597 | | | it is imported into | 9598 | | | browser software such as | 9599 | | | Communicator, it | 9600 | | | behaves like an | 9601 | | | object-signing CA and cannot | 9602 | | | be used to sign | 9603 | | | objects. The -G | 9604 | | | option is available in | 9605 | | | Netscape Signing Tool 1.0 | 9606 | | | and later versions | 9607 | | | only. By default, it produces | 9608 | | | only RSA | 9609 | | | certificates with | 9610 | | | 1024-byte keys in the internal | 9611 | | | token. However, | 9612 | | | you can use the -s | 9613 | | | option specify the required | 9614 | | | key size and the -t | 9615 | | | option to specify | 9616 | | | the token. For more | 9617 | | | information about the use of | 9618 | | | the -G option, see | 9619 | | | "Generating Test | 9620 | | | Object-Signing | 9621 | | | | 9622 | | | Certificates""Generating Test | 9623 | | | Object-Signing Certificates" | 9624 | | | on page | 9625 | | | 1241. | 9626 | | | -l | 9627 | | | Lists signing | 9628 | | | certificates, including | 9629 | | | issuing CAs. If any of your | 9630 | | | certificates are | 9631 | | | expired or invalid, the list | 9632 | | | will so specify. | 9633 | | | This option can be | 9634 | | | used with the -k option to | 9635 | | | list detailed | 9636 | | | information about a | 9637 | | | particular signing | 9638 | | | certificate. The -l option | 9639 | | | is available in | 9640 | | | Netscape Signing Tool 1.0 and | 9641 | | | later versions only. | 9642 | | | -J | 9643 | | | Signs a directory | 9644 | | | of HTML files containing | 9645 | | | JavaScript and creates | 9646 | | | as many archive | 9647 | | | files as are specified in the | 9648 | | | HTML tags. Even if | 9649 | | | signtool creates | 9650 | | | more than one archive file, | 9651 | | | you need to supply | 9652 | | | the key database | 9653 | | | password only once. The -J | 9654 | | | option is available | 9655 | | | only in Netscape | 9656 | | | Signing Tool 1.0 and later | 9657 | | | versions. The -J | 9658 | | | option cannot be | 9659 | | | used at the same time as the | 9660 | | | -Z option. If the | 9661 | | | -c# option is not | 9662 | | | used with the -J option, the | 9663 | | | default compression | 9664 | | | value is 6. Note | 9665 | | | that versions 1.1 and later of | 9666 | | | Netscape Signing | 9667 | | | Tool correctly | 9668 | | | recognizes the CODEBASE | 9669 | | | attribute, allows paths to | 9670 | | | be expressed for | 9671 | | | the CLASS and SRC attributes | 9672 | | | instead of filenames | 9673 | | | only, processes | 9674 | | | LINK tags and parses HTML | 9675 | | | correctly, and offers | 9676 | | | clearer error | 9677 | | | messages. | 9678 | | | -L | 9679 | | | Lists the | 9680 | | | certificates in your database. | 9681 | | | An asterisk appears to | 9682 | | | the left of the | 9683 | | | nickname for any certificate | 9684 | | | that can be used to | 9685 | | | sign objects with | 9686 | | | signtool. | 9687 | | | --leavearc | 9688 | | | Retains the | 9689 | | | temporary .arc (archive) | 9690 | | | directories that the -J | 9691 | | | option creates. | 9692 | | | These directories are | 9693 | | | automatically erased by | 9694 | | | default. Retaining | 9695 | | | the temporary directories can | 9696 | | | be an aid to | 9697 | | | debugging. | 9698 | | | -m metafile | 9699 | | | Specifies the name | 9700 | | | of a metadata control file. | 9701 | | | Metadata is signed | 9702 | | | information | 9703 | | | attached either to the JAR | 9704 | | | archive itself or to files | 9705 | | | within the archive. | 9706 | | | This metadata can be any ASCII | 9707 | | | string, but is | 9708 | | | used mainly for | 9709 | | | specifying an installer | 9710 | | | script. The metadata file | 9711 | | | contains one entry | 9712 | | | per line, each with three | 9713 | | | fields: field #1: | 9714 | | | file specification, | 9715 | | | or + if you want to specify | 9716 | | | global metadata | 9717 | | | (that is, metadata | 9718 | | | about the JAR archive itself | 9719 | | | or all entries in | 9720 | | | the archive) field | 9721 | | | #2: the name of the data you | 9722 | | | are specifying; | 9723 | | | for example: | 9724 | | | Install-Script field #3: data | 9725 | | | corresponding to the | 9726 | | | name in field #2 | 9727 | | | For example, the -i option | 9728 | | | uses the equivalent of | 9729 | | | this line: + | 9730 | | | Install-Script: script.js This | 9731 | | | example associates a | 9732 | | | MIME type with a | 9733 | | | file: movie.qt MIME-Type: | 9734 | | | video/quicktime For | 9735 | | | information about | 9736 | | | the way installer script | 9737 | | | information appears in | 9738 | | | the manifest file | 9739 | | | for a JAR archive, see The JAR | 9740 | | | Format on | 9741 | | | Netscape DevEdge. | 9742 | | | -M | 9743 | | | Lists the PKCS #11 | 9744 | | | modules available to signtool, | 9745 | | | including smart | 9746 | | | cards. The -M | 9747 | | | option is available in | 9748 | | | Netscape Signing Tool 1.0 and | 9749 | | | later versions | 9750 | | | only. For information on using | 9751 | | | Netscape Signing | 9752 | | | Tool with smart | 9753 | | | cards, see "Using Netscape | 9754 | | | Signing Tool with Smart | 9755 | | | Cards". For | 9756 | | | information on using the -M | 9757 | | | option to verify | 9758 | | | FIPS-140-1 | 9759 | | | validated mode, see "Netscape | 9760 | | | Signing Tool and | 9761 | | | FIPS-140-1". | 9762 | | | --norecurse | 9763 | | | Blocks recursion | 9764 | | | into subdirectories when | 9765 | | | signing a directory's | 9766 | | | contents or when | 9767 | | | parsing HTML. | 9768 | | | -o | 9769 | | | Optimizes the | 9770 | | | archive for size. Use this | 9771 | | | only if you are signing | 9772 | | | very large archives | 9773 | | | containing hundreds of files. | 9774 | | | This option | 9775 | | | makes the manifest | 9776 | | | files (required by the JAR | 9777 | | | format) considerably | 9778 | | | smaller, but they | 9779 | | | contain slightly less | 9780 | | | information. | 9781 | | | --outfile outputfile | 9782 | | | Specifies a file to | 9783 | | | receive redirected output from | 9784 | | | Netscape | 9785 | | | Signing Tool. | 9786 | | | -p password | 9787 | | | Specifies a | 9788 | | | password for the private-key | 9789 | | | database. Note that the | 9790 | | | password entered on | 9791 | | | the command line is displayed | 9792 | | | as plain text. | 9793 | | | -s keysize | 9794 | | | Specifies the size | 9795 | | | of the key for generated | 9796 | | | certificate. Use the | 9797 | | | -M option to find | 9798 | | | out what tokens are available. | 9799 | | | The -s option can | 9800 | | | be used with the -G | 9801 | | | option only. | 9802 | | | -t token | 9803 | | | Specifies which | 9804 | | | available token should | 9805 | | | generate the key and | 9806 | | | receive the | 9807 | | | certificate. Use the -M option | 9808 | | | to find out what tokens | 9809 | | | are available. The | 9810 | | | -t option can be used with the | 9811 | | | -G option only. | 9812 | | | -v archive | 9813 | | | Displays the | 9814 | | | contents of an archive and | 9815 | | | verifies the cryptographic | 9816 | | | integrity of the | 9817 | | | digital signatures it contains | 9818 | | | and the files with | 9819 | | | which they are | 9820 | | | associated. This includes | 9821 | | | checking that the | 9822 | | | certificate for the | 9823 | | | issuer of the object-signing | 9824 | | | certificate is | 9825 | | | listed in the | 9826 | | | certificate database, that the | 9827 | | | CA's digital | 9828 | | | signature on the | 9829 | | | object-signing certificate is | 9830 | | | valid, that the | 9831 | | | relevant | 9832 | | | certificates have not expired, | 9833 | | | and so on. | 9834 | | | --verbosity value | 9835 | | | Sets the quantity | 9836 | | | of information Netscape | 9837 | | | Signing Tool generates | 9838 | | | in operation. A | 9839 | | | value of 0 (zero) is the | 9840 | | | default and gives full | 9841 | | | information. A | 9842 | | | value of -1 suppresses most | 9843 | | | messages, but not error | 9844 | | | messages. | 9845 | | | -w archive | 9846 | | | Displays the names | 9847 | | | of signers of any files in the | 9848 | | | archive. | 9849 | | | -x directory | 9850 | | | Excludes the | 9851 | | | specified directory from | 9852 | | | signing. Note that with | 9853 | | | Netscape Signing | 9854 | | | Tool version 1.1 and later | 9855 | | | this option can appear | 9856 | | | multiple times on | 9857 | | | one command line, making it | 9858 | | | possible to specify | 9859 | | | several particular | 9860 | | | directories to exclude. | 9861 | | | -z | 9862 | | | Tells signtool not | 9863 | | | to store the signing time in | 9864 | | | the digital | 9865 | | | signature. This | 9866 | | | option is useful if you want | 9867 | | | the expiration date | 9868 | | | of the signature | 9869 | | | checked against the current | 9870 | | | date and time rather | 9871 | | | than the time the | 9872 | | | files were signed. | 9873 | | | -Z jarfile | 9874 | | | Creates a JAR file | 9875 | | | with the specified name. You | 9876 | | | must specify this | 9877 | | | option if you want | 9878 | | | signtool to create the JAR | 9879 | | | file; it does not do | 9880 | | | so automatically. | 9881 | | | If you don't specify -Z, you | 9882 | | | must use an | 9883 | | | external ZIP tool | 9884 | | | to create the JAR file. The -Z | 9885 | | | option cannot be | 9886 | | | used at the same | 9887 | | | time as the -J option. If the | 9888 | | | -c# option is not | 9889 | | | used with the -Z | 9890 | | | option, the default | 9891 | | | compression value is 6. | 9892 | | | The Command File Format | 9893 | | | Entries in a Netscape | 9894 | | | Signing Tool command file have | 9895 | | | this general format: | 9896 | | | keyword=value Everything | 9897 | | | before the = sign on a single | 9898 | | | line is a keyword, | 9899 | | | and everything from the = | 9900 | | | sign to the end of line is a | 9901 | | | value. The value | 9902 | | | may include = signs; only | 9903 | | | the first = sign on a line is | 9904 | | | interpreted. Blank | 9905 | | | lines are ignored, but | 9906 | | | white space on a line with | 9907 | | | keywords and values is | 9908 | | | assumed to be part of the | 9909 | | | keyword (if it comes before | 9910 | | | the equal sign) or | 9911 | | | part of the value (if it | 9912 | | | comes after the first equal | 9913 | | | sign). Keywords are | 9914 | | | case insensitive, values | 9915 | | | are generally case sensitive. | 9916 | | | Since the = sign | 9917 | | | and newline delimit the | 9918 | | | value, it should not be | 9919 | | | quoted. | 9920 | | | Subsection | 9921 | | | basename | 9922 | | | Same as -b option. | 9923 | | | compression | 9924 | | | Same as -c option. | 9925 | | | certdir | 9926 | | | Same as -d option. | 9927 | | | extension | 9928 | | | Same as -e option. | 9929 | | | generate | 9930 | | | Same as -G option. | 9931 | | | installscript | 9932 | | | Same as -i option. | 9933 | | | javascriptdir | 9934 | | | Same as -j option. | 9935 | | | htmldir | 9936 | | | Same as -J option. | 9937 | | | certname | 9938 | | | Nickname of | 9939 | | | certificate, as with -k and -l | 9940 | | | -k options. | 9941 | | | signdir | 9942 | | | The directory to be | 9943 | | | signed, as with -k option. | 9944 | | | list | 9945 | | | Same as -l option. | 9946 | | | Value is ignored, but = sign | 9947 | | | must be present. | 9948 | | | listall | 9949 | | | Same as -L option. | 9950 | | | Value is ignored, but = sign | 9951 | | | must be present. | 9952 | | | metafile | 9953 | | | Same as -m option. | 9954 | | | modules | 9955 | | | Same as -M option. | 9956 | | | Value is ignored, but = sign | 9957 | | | must be present. | 9958 | | | optimize | 9959 | | | Same as -o option. | 9960 | | | Value is ignored, but = sign | 9961 | | | must be present. | 9962 | | | password | 9963 | | | Same as -p option. | 9964 | | | keysize | 9965 | | | Same as -s option. | 9966 | | | token | 9967 | | | Same as -t option. | 9968 | | | verify | 9969 | | | Same as -v option. | 9970 | | | who | 9971 | | | Same as -w option. | 9972 | | | exclude | 9973 | | | Same as -x option. | 9974 | | | notime | 9975 | | | Same as -z option. | 9976 | | | value is ignored, but = sign | 9977 | | | must be present. | 9978 | | | jarfile | 9979 | | | Same as -Z option. | 9980 | | | outfile | 9981 | | | Name of a file to | 9982 | | | which output and error | 9983 | | | messages will be | 9984 | | | redirected. This | 9985 | | | option has no command-line | 9986 | | | equivalent. | 9987 | | | Extended Examples | 9988 | | | The following example will | 9989 | | | do this and that | 9990 | | | Listing Available Signing | 9991 | | | Certificates | 9992 | | | You use the -L option to | 9993 | | | list the nicknames for all | 9994 | | | available certificates | 9995 | | | and check which ones are | 9996 | | | signing certificates. | 9997 | | | signtool -L | 9998 | | | using certificate directory: | 9999 | | | /u/jsmith/.netscape | 10000 | | | S Certificates | 10001 | | | - ------------ | 10002 | | | BBN Certificate Services CA | 10003 | | | Root 1 | 10004 | | | IBM World Registry CA | 10005 | | | VeriSign Class 1 CA - | 10006 | | | Individual Subscriber - | 10007 | | | VeriSign, Inc. | 10008 | | | GTE CyberTrust Root CA | 10009 | | | Uptime Group Plc. Class 4 | 10010 | | | CA | 10011 | | | \* Verisign Object Signing | 10012 | | | Cert | 10013 | | | Integrion CA | 10014 | | | GTE CyberTrust Secure | 10015 | | | Server CA | 10016 | | | AT&T Directory Services | 10017 | | | \* test object signing cert | 10018 | | | Uptime Group Plc. Class 1 | 10019 | | | CA | 10020 | | | VeriSign Class 1 Primary CA | 10021 | | | - ------------ | 10022 | | | Certificates that can be used | 10023 | | | to sign objects have \*'s to | 10024 | | | their left. | 10025 | | | Two signing certificates | 10026 | | | are displayed: Verisign Object | 10027 | | | Signing Cert and | 10028 | | | test object signing cert. | 10029 | | | You use the -l option to | 10030 | | | get a list of signing | 10031 | | | certificates only, | 10032 | | | including the signing CA | 10033 | | | for each. | 10034 | | | signtool -l | 10035 | | | using certificate directory: | 10036 | | | /u/jsmith/.netscape | 10037 | | | Object signing certificates | 10038 | | | --------- | 10039 | | | ------------------------------ | 10040 | | | Verisign Object Signing Cert | 10041 | | | Issued by: VeriSign, Inc. | 10042 | | | - Verisign, Inc. | 10043 | | | Expires: Tue May 19, 1998 | 10044 | | | test object signing cert | 10045 | | | Issued by: test object | 10046 | | | signing cert (Signtool 1.0 | 10047 | | | Testing | 10048 | | | Certificate (960187691)) | 10049 | | | Expires: Sun May 17, 1998 | 10050 | | | --------- | 10051 | | | ------------------------------ | 10052 | | | For a list including CAs, | 10053 | | | use the -L option. | 10054 | | | Signing a File | 10055 | | | 1. Create an empty | 10056 | | | directory. | 10057 | | | mkdir signdir | 10058 | | | 2. Put some file into it. | 10059 | | | echo boo > signdir/test.f | 10060 | | | 3. Specify the name of your | 10061 | | | object-signing certificate and | 10062 | | | sign the | 10063 | | | directory. | 10064 | | | signtool -k MySignCert -Z | 10065 | | | testjar.jar signdir | 10066 | | | using key "MySignCert" | 10067 | | | using certificate directory: | 10068 | | | /u/jsmith/.netscape | 10069 | | | Generating | 10070 | | | signdir/META-INF/manifest.mf | 10071 | | | file.. | 10072 | | | --> test.f | 10073 | | | adding signdir/test.f to | 10074 | | | testjar.jar | 10075 | | | Generating signtool.sf file.. | 10076 | | | Enter Password or Pin for | 10077 | | | "Communicator Certificate DB": | 10078 | | | adding | 10079 | | | signdir/META-INF/manifest.mf | 10080 | | | to testjar.jar | 10081 | | | adding | 10082 | | | signdir/META-INF/signtool.sf | 10083 | | | to testjar.jar | 10084 | | | adding | 10085 | | | signdir/META-INF/signtool.rsa | 10086 | | | to testjar.jar | 10087 | | | tree "signdir" signed | 10088 | | | successfully | 10089 | | | 4. Test the archive you | 10090 | | | just created. | 10091 | | | signtool -v testjar.jar | 10092 | | | using certificate directory: | 10093 | | | /u/jsmith/.netscape | 10094 | | | archive "testjar.jar" has | 10095 | | | passed crypto verification. | 10096 | | | status path | 10097 | | | ------------ | 10098 | | | ------------------- | 10099 | | | verified test.f | 10100 | | | Using Netscape Signing Tool | 10101 | | | with a ZIP Utility | 10102 | | | To use Netscape Signing | 10103 | | | Tool with a ZIP utility, you | 10104 | | | must have the utility | 10105 | | | in your path environment | 10106 | | | variable. You should use the | 10107 | | | zip.exe utility | 10108 | | | rather than pkzip.exe, | 10109 | | | which cannot handle long | 10110 | | | filenames. You can use a | 10111 | | | ZIP utility instead of the | 10112 | | | -Z option to package a signed | 10113 | | | archive into a | 10114 | | | JAR file after you have | 10115 | | | signed it: | 10116 | | | cd signdir | 10117 | | | zip -r ../myjar.jar \* | 10118 | | | adding: META-INF/ (stored | 10119 | | | 0%) | 10120 | | | adding: | 10121 | | | META-INF/manifest.mf (deflated | 10122 | | | 15%) | 10123 | | | adding: | 10124 | | | META-INF/signtool.sf (deflated | 10125 | | | 28%) | 10126 | | | adding: | 10127 | | | META-INF/signtool.rsa (stored | 10128 | | | 0%) | 10129 | | | adding: text.txt (stored | 10130 | | | 0%) | 10131 | | | Generating the Keys and | 10132 | | | Certificate | 10133 | | | The signtool option -G | 10134 | | | generates a new public-private | 10135 | | | key pair and | 10136 | | | certificate. It takes the | 10137 | | | nickname of the new | 10138 | | | certificate as an argument. | 10139 | | | The newly generated keys | 10140 | | | and certificate are installed | 10141 | | | into the key and | 10142 | | | certificate databases in | 10143 | | | the directory specified by the | 10144 | | | -d option. With | 10145 | | | the NT version of Netscape | 10146 | | | Signing Tool, you must use the | 10147 | | | -d option with | 10148 | | | the -G option. With the | 10149 | | | Unix version of Netscape | 10150 | | | Signing Tool, omitting | 10151 | | | the -d option causes the | 10152 | | | tool to install the keys and | 10153 | | | certificate in the | 10154 | | | Communicator key and | 10155 | | | certificate databases. In all | 10156 | | | cases, the certificate | 10157 | | | is also output to a file | 10158 | | | named x509.cacert, which has | 10159 | | | the MIME-type | 10160 | | | application/x-x509-ca-cert. | 10161 | | | Certificates contain | 10162 | | | standard information about the | 10163 | | | entity they identify, | 10164 | | | such as the common name and | 10165 | | | organization name. Netscape | 10166 | | | Signing Tool | 10167 | | | prompts you for this | 10168 | | | information when you run the | 10169 | | | command with the -G | 10170 | | | option. However, all of the | 10171 | | | requested fields are optional | 10172 | | | for test | 10173 | | | certificates. If you do not | 10174 | | | enter a common name, the tool | 10175 | | | provides a | 10176 | | | default name. In the | 10177 | | | following example, the user | 10178 | | | input is in boldface: | 10179 | | | signtool -G MyTestCert | 10180 | | | using certificate directory: | 10181 | | | /u/someuser/.netscape | 10182 | | | Enter certificate | 10183 | | | information. All fields are | 10184 | | | optional. Acceptable | 10185 | | | characters are numbers, | 10186 | | | letters, spaces, and | 10187 | | | apostrophes. | 10188 | | | certificate common name: Test | 10189 | | | Object Signing Certificate | 10190 | | | organization: Netscape | 10191 | | | Communications Corp. | 10192 | | | organization unit: Server | 10193 | | | Products Division | 10194 | | | state or province: California | 10195 | | | country (must be exactly 2 | 10196 | | | characters): US | 10197 | | | username: someuser | 10198 | | | email address: | 10199 | | | someuser@netscape.com | 10200 | | | Enter Password or Pin for | 10201 | | | "Communicator Certificate DB": | 10202 | | | [Password will not echo] | 10203 | | | generated public/private key | 10204 | | | pair | 10205 | | | certificate request generated | 10206 | | | certificate has been signed | 10207 | | | certificate "MyTestCert" | 10208 | | | added to database | 10209 | | | Exported certificate to | 10210 | | | x509.raw and x509.cacert. | 10211 | | | The certificate information | 10212 | | | is read from standard input. | 10213 | | | Therefore, the | 10214 | | | information can be read | 10215 | | | from a file using the | 10216 | | | redirection operator (<) in | 10217 | | | some operating systems. To | 10218 | | | create a file for this | 10219 | | | purpose, enter each of | 10220 | | | the seven input fields, in | 10221 | | | order, on a separate line. | 10222 | | | Make sure there is a | 10223 | | | newline character at the | 10224 | | | end of the last line. Then run | 10225 | | | signtool with | 10226 | | | standard input redirected | 10227 | | | from your file as follows: | 10228 | | | signtool -G MyTestCert | 10229 | | | inputfile | 10230 | | | The prompts show up on the | 10231 | | | screen, but the responses will | 10232 | | | be automatically | 10233 | | | read from the file. The | 10234 | | | password will still be read | 10235 | | | from the console | 10236 | | | unless you use the -p | 10237 | | | option to give the password on | 10238 | | | the command line. | 10239 | | | Using the -M Option to List | 10240 | | | Smart Cards | 10241 | | | You can use the -M option | 10242 | | | to list the PKCS #11 modules, | 10243 | | | including smart | 10244 | | | cards, that are available | 10245 | | | to signtool: | 10246 | | | signtool -d | 10247 | | | "c:\netscape\users\jsmith" -M | 10248 | | | using certificate directory: | 10249 | | | c:\netscape\users\username | 10250 | | | Listing of PKCS11 modules | 10251 | | | ----------------- | 10252 | | | ------------------------------ | 10253 | | | 1. Netscape Internal | 10254 | | | PKCS #11 Module | 10255 | | | | 10256 | | | (this module is internally | 10257 | | | loaded) | 10258 | | | | 10259 | | | slots: 2 slots attached | 10260 | | | | 10261 | | | status: loaded | 10262 | | | slot: Communicator | 10263 | | | Internal Cryptographic | 10264 | | | Services Version 4.0 | 10265 | | | token: Communicator | 10266 | | | Generic Crypto Svcs | 10267 | | | slot: Communicator | 10268 | | | User Private Key and | 10269 | | | Certificate Services | 10270 | | | token: Communicator | 10271 | | | Certificate DB | 10272 | | | 2. CryptOS | 10273 | | | | 10274 | | | (this is an external module) | 10275 | | | DLL name: core32 | 10276 | | | slots: 1 slots | 10277 | | | attached | 10278 | | | status: loaded | 10279 | | | slot: Litronic 210 | 10280 | | | token: | 10281 | | | | 10282 | | | ----------------- | 10283 | | | ------------------------------ | 10284 | | | Using Netscape Signing Tool | 10285 | | | and a Smart Card to Sign Files | 10286 | | | The signtool command | 10287 | | | normally takes an argument of | 10288 | | | the -k option to | 10289 | | | specify a signing | 10290 | | | certificate. To sign with a | 10291 | | | smart card, you supply only | 10292 | | | the fully qualified name of | 10293 | | | the certificate. | 10294 | | | To see fully qualified | 10295 | | | certificate names when you run | 10296 | | | Communicator, click | 10297 | | | the Security button in | 10298 | | | Navigator, then click Yours | 10299 | | | under Certificates in | 10300 | | | the left frame. Fully | 10301 | | | qualified names are of the | 10302 | | | format smart | 10303 | | | card:certificate, for | 10304 | | | example "MyCard:My Signing | 10305 | | | Cert". You use this name | 10306 | | | with the -k argument as | 10307 | | | follows: | 10308 | | | signtool -k "MyCard:My | 10309 | | | Signing Cert" directory | 10310 | | | Verifying FIPS Mode | 10311 | | | Use the -M option to verify | 10312 | | | that you are using the | 10313 | | | FIPS-140-1 module. | 10314 | | | signtool -d | 10315 | | | "c:\netscape\users\jsmith" -M | 10316 | | | using certificate directory: | 10317 | | | c:\netscape\users\jsmith | 10318 | | | Listing of PKCS11 modules | 10319 | | | ----------------- | 10320 | | | ------------------------------ | 10321 | | | 1. Netscape Internal PKCS | 10322 | | | #11 Module | 10323 | | | (this module is | 10324 | | | internally loaded) | 10325 | | | slots: 2 slots | 10326 | | | attached | 10327 | | | status: loaded | 10328 | | | slot: Communicator | 10329 | | | Internal Cryptographic | 10330 | | | Services Version 4.0 | 10331 | | | token: Communicator | 10332 | | | Generic Crypto Svcs | 10333 | | | slot: Communicator User | 10334 | | | Private Key and Certificate | 10335 | | | Services | 10336 | | | token: Communicator | 10337 | | | Certificate DB | 10338 | | | ----------------- | 10339 | | | ------------------------------ | 10340 | | | This Unix example shows | 10341 | | | that Netscape Signing Tool is | 10342 | | | using a FIPS-140-1 | 10343 | | | module: | 10344 | | | signtool -d | 10345 | | | "c:\netscape\users\jsmith" -M | 10346 | | | using certificate directory: | 10347 | | | c:\netscape\users\jsmith | 10348 | | | Enter Password or Pin for | 10349 | | | "Communicator Certificate DB": | 10350 | | | [password will not echo] | 10351 | | | Listing of PKCS11 modules | 10352 | | | ----------------- | 10353 | | | ------------------------------ | 10354 | | | 1. Netscape Internal FIPS | 10355 | | | PKCS #11 Module | 10356 | | | (this module is internally | 10357 | | | loaded) | 10358 | | | slots: 1 slots attached | 10359 | | | status: loaded | 10360 | | | slot: Netscape Internal | 10361 | | | FIPS-140-1 Cryptographic | 10362 | | | Services | 10363 | | | token: Communicator | 10364 | | | Certificate DB | 10365 | | | ----------------- | 10366 | | | ------------------------------ | 10367 | | | See Also | 10368 | | | signver (1) | 10369 | | | The NSS wiki has | 10370 | | | information on the new | 10371 | | | database design and how to | 10372 | | | configure applications to | 10373 | | | use it. | 10374 | | | | 10375 | | | o https://wiki.m | 10376 | | | ozilla.org/NSS_Shared_DB_Howto | 10377 | | | | 10378 | | | o https:// | 10379 | | | wiki.mozilla.org/NSS_Shared_DB | 10380 | | | Additional Resources | 10381 | | | For information about NSS | 10382 | | | and other tools related to NSS | 10383 | | | (like JSS), check | 10384 | | | out the NSS project wiki at | 10385 | | | | 10386 | | | [1]\ `http://www.mozil | 10387 | | | la.org/projects/security/pki/n | 10388 | | | ss/ <https://www.mozilla.org/p | 10389 | | | rojects/security/pki/nss/>`__. | 10390 | | | The NSS site relates | 10391 | | | directly to NSS code | 10392 | | | changes and releases. | 10393 | | | Mailing lists: | 10394 | | | https://lists.mozill | 10395 | | | a.org/listinfo/dev-tech-crypto | 10396 | | | IRC: Freenode at | 10397 | | | #dogtag-pki | 10398 | | | Authors | 10399 | | | The NSS tools were written | 10400 | | | and maintained by developers | 10401 | | | with Netscape, Red | 10402 | | | Hat, and Sun. | 10403 | | | Authors: Elio Maldonado | 10404 | | | <emaldona@redhat.com>, Deon | 10405 | | | Lackey | 10406 | | | <dlackey@redhat.com>. | 10407 | | | Copyright | 10408 | | | (c) 2010, Red Hat, Inc. | 10409 | | | Licensed under the GNU Public | 10410 | | | License version 2. | 10411 | | | References | 10412 | | | Visible links | 10413 | | | 1. | 10414 | | | `http://www.mozi | 10415 | | | lla.org/projects/security/pki/ | 10416 | | | nss/ <https://www.mozilla.org/ | 10417 | | | projects/security/pki/nss/>`__ | 10418 +--------------------------------+--------------------------------+--------------------------------+ 10419 | | | | 10420 +--------------------------------+--------------------------------+--------------------------------+ 10421 | 356 | :ref:`mozil | | 10422 | | la_projects_nss_tools_signver` | | 10423 +--------------------------------+--------------------------------+--------------------------------+ 10424 | | | Name | 10425 | | | signver — Verify a detached | 10426 | | | PKCS#7 signature for a file. | 10427 | | | Synopsis | 10428 | | | signtool -A \| -V -d | 10429 | | | directory [-a] [-i input_file] | 10430 | | | [-o output_file] [-s | 10431 | | | signature_file] [-v] | 10432 | | | Description | 10433 | | | The Signature Verification | 10434 | | | Tool, signver, is a simple | 10435 | | | command-line utility | 10436 | | | that unpacks a | 10437 | | | base-64-encoded PKCS#7 signed | 10438 | | | object and verifies the | 10439 | | | digital signature using | 10440 | | | standard cryptographic | 10441 | | | techniques. The Signature | 10442 | | | Verification Tool can also | 10443 | | | display the contents of the | 10444 | | | signed object. | 10445 | | | Options | 10446 | | | -A | 10447 | | | Displays all of the | 10448 | | | information in the PKCS#7 | 10449 | | | signature. | 10450 | | | -V | 10451 | | | Verifies the | 10452 | | | digital signature. | 10453 | | | -d [sql:]directory | 10454 | | | Specify the | 10455 | | | database directory which | 10456 | | | contains the certificates and | 10457 | | | keys. | 10458 | | | signver supports | 10459 | | | two types of databases: the | 10460 | | | legacy security | 10461 | | | databases | 10462 | | | (cert8.db, key3.db, and | 10463 | | | secmod.db) and new SQLite | 10464 | | | databases | 10465 | | | (cert9.db, key4.db, and | 10466 | | | pkcs11.txt). If the prefix | 10467 | | | sql: | 10468 | | | is not used, then | 10469 | | | the tool assumes that the | 10470 | | | given databases are in | 10471 | | | the old format. | 10472 | | | -a | 10473 | | | Sets that the given | 10474 | | | signature file is in ASCII | 10475 | | | format. | 10476 | | | -i input_file | 10477 | | | Gives the input | 10478 | | | file for the object with | 10479 | | | signed data. | 10480 | | | -o output_file | 10481 | | | Gives the output | 10482 | | | file to which to write the | 10483 | | | results. | 10484 | | | -s signature_file | 10485 | | | Gives the input | 10486 | | | file for the digital | 10487 | | | signature. | 10488 | | | -v | 10489 | | | Enables verbose | 10490 | | | output. | 10491 | | | Extended Examples | 10492 | | | Verifying a Signature | 10493 | | | The -V option verifies that | 10494 | | | the signature in a given | 10495 | | | signature file is | 10496 | | | valid when used to sign the | 10497 | | | given object (from the input | 10498 | | | file). | 10499 | | | signver -V -s signature_file | 10500 | | | -i signed_file -d | 10501 | | | sql:/home/my/sharednssdb | 10502 | | | signatureValid=yes | 10503 | | | Printing Signature Data | 10504 | | | The -A option prints all of | 10505 | | | the information contained in a | 10506 | | | signature file. | 10507 | | | Using the -o option prints | 10508 | | | the signature file information | 10509 | | | to the given | 10510 | | | output file rather than | 10511 | | | stdout. | 10512 | | | signver -A -s signature_file | 10513 | | | -o output_file | 10514 | | | NSS Database Types | 10515 | | | NSS originally used | 10516 | | | BerkeleyDB databases to store | 10517 | | | security information. | 10518 | | | The last versions of these | 10519 | | | legacy databases are: | 10520 | | | o cert8.db for | 10521 | | | certificates | 10522 | | | o key3.db for keys | 10523 | | | o secmod.db for PKCS #11 | 10524 | | | module information | 10525 | | | BerkeleyDB has performance | 10526 | | | limitations, though, which | 10527 | | | prevent it from | 10528 | | | being easily used by | 10529 | | | multiple applications | 10530 | | | simultaneously. NSS has some | 10531 | | | flexibility that allows | 10532 | | | applications to use their own, | 10533 | | | independent | 10534 | | | database engine while | 10535 | | | keeping a shared database and | 10536 | | | working around the | 10537 | | | access issues. Still, NSS | 10538 | | | requires more flexibility to | 10539 | | | provide a truly | 10540 | | | shared security database. | 10541 | | | In 2009, NSS introduced a | 10542 | | | new set of databases that are | 10543 | | | SQLite databases | 10544 | | | rather than BerkleyDB. | 10545 | | | These new databases provide | 10546 | | | more accessibility and | 10547 | | | performance: | 10548 | | | o cert9.db for | 10549 | | | certificates | 10550 | | | o key4.db for keys | 10551 | | | o pkcs11.txt, which is | 10552 | | | listing of all of the PKCS #11 | 10553 | | | modules contained | 10554 | | | in a new subdirectory | 10555 | | | in the security databases | 10556 | | | directory | 10557 | | | Because the SQLite | 10558 | | | databases are designed to be | 10559 | | | shared, these are the | 10560 | | | shared database type. The | 10561 | | | shared database type is | 10562 | | | preferred; the legacy | 10563 | | | format is included for | 10564 | | | backward compatibility. | 10565 | | | By default, the tools | 10566 | | | (certutil, pk12util, modutil) | 10567 | | | assume that the given | 10568 | | | security databases follow | 10569 | | | the more common legacy type. | 10570 | | | Using the SQLite | 10571 | | | databases must be manually | 10572 | | | specified by using the sql: | 10573 | | | prefix with the | 10574 | | | given security directory. | 10575 | | | For example: | 10576 | | | # signver -A -s signature -d | 10577 | | | sql:/home/my/sharednssdb | 10578 | | | To set the shared database | 10579 | | | type as the default type for | 10580 | | | the tools, set the | 10581 | | | NSS_DEFAULT_DB_TYPE | 10582 | | | environment variable to sql: | 10583 | | | export | 10584 | | | NSS_DEFAULT_DB_TYPE="sql" | 10585 | | | This line can be set added | 10586 | | | to the ~/.bashrc file to make | 10587 | | | the change | 10588 | | | permanent. | 10589 | | | Most applications do not | 10590 | | | use the shared database by | 10591 | | | default, but they can | 10592 | | | be configured to use them. | 10593 | | | For example, this how-to | 10594 | | | article covers how to | 10595 | | | configure Firefox and | 10596 | | | Thunderbird to use the new | 10597 | | | shared NSS databases: | 10598 | | | | 10599 | | | o https://wiki.m | 10600 | | | ozilla.org/NSS_Shared_DB_Howto | 10601 | | | For an engineering draft on | 10602 | | | the changes in the shared NSS | 10603 | | | databases, see | 10604 | | | the NSS project wiki: | 10605 | | | | 10606 | | | o https:// | 10607 | | | wiki.mozilla.org/NSS_Shared_DB | 10608 | | | See Also | 10609 | | | signtool (1) | 10610 | | | The NSS wiki has | 10611 | | | information on the new | 10612 | | | database design and how to | 10613 | | | configure applications to | 10614 | | | use it. | 10615 | | | o Setting up the shared | 10616 | | | NSS database | 10617 | | | | 10618 | | | https://wiki.m | 10619 | | | ozilla.org/NSS_Shared_DB_Howto | 10620 | | | o Engineering and | 10621 | | | technical information about | 10622 | | | the shared NSS database | 10623 | | | | 10624 | | | https:// | 10625 | | | wiki.mozilla.org/NSS_Shared_DB | 10626 | | | Additional Resources | 10627 | | | For information about NSS | 10628 | | | and other tools related to NSS | 10629 | | | (like JSS), check | 10630 | | | out the NSS project wiki at | 10631 | | | | 10632 | | | [1]\ `http://www.mozil | 10633 | | | la.org/projects/security/pki/n | 10634 | | | ss/ <https://www.mozilla.org/p | 10635 | | | rojects/security/pki/nss/>`__. | 10636 | | | The NSS site relates | 10637 | | | directly to NSS code | 10638 | | | changes and releases. | 10639 | | | Mailing lists: | 10640 | | | https://lists.mozill | 10641 | | | a.org/listinfo/dev-tech-crypto | 10642 | | | IRC: Freenode at | 10643 | | | #dogtag-pki | 10644 | | | Authors | 10645 | | | The NSS tools were written | 10646 | | | and maintained by developers | 10647 | | | with Netscape, Red | 10648 | | | Hat, and Sun. | 10649 | | | Authors: Elio Maldonado | 10650 | | | <emaldona@redhat.com>, Deon | 10651 | | | Lackey | 10652 | | | <dlackey@redhat.com>. | 10653 | | | Copyright | 10654 | | | (c) 2010, Red Hat, Inc. | 10655 | | | Licensed under the GNU Public | 10656 | | | License version 2. | 10657 | | | References | 10658 | | | Visible links | 10659 | | | 1. | 10660 | | | `http://www.mozi | 10661 | | | lla.org/projects/security/pki/ | 10662 | | | nss/ <https://www.mozilla.org/ | 10663 | | | projects/security/pki/nss/>`__ | 10664 +--------------------------------+--------------------------------+--------------------------------+ 10665 | | | | 10666 +--------------------------------+--------------------------------+--------------------------------+ 10667 | 357 | :ref:`mozi | | 10668 | | lla_projects_nss_tools_ssltap` | | 10669 +--------------------------------+--------------------------------+--------------------------------+ 10670 | | | Name | 10671 | | | ssltap — Tap into SSL | 10672 | | | connections and display the | 10673 | | | data going by | 10674 | | | Synopsis | 10675 | | | libssltap [-vhfsxl] [-p | 10676 | | | port] [hostname:port] | 10677 | | | Description | 10678 | | | The SSL Debugging Tool | 10679 | | | ssltap is an SSL-aware | 10680 | | | command-line proxy. It | 10681 | | | watches TCP connections and | 10682 | | | displays the data going by. If | 10683 | | | a connection is | 10684 | | | SSL, the data display | 10685 | | | includes interpreted SSL | 10686 | | | records and handshaking | 10687 | | | Options | 10688 | | | -v | 10689 | | | Print a version | 10690 | | | string for the tool. | 10691 | | | -h | 10692 | | | Turn on hex/ASCII | 10693 | | | printing. Instead of | 10694 | | | outputting raw data, the | 10695 | | | command interprets | 10696 | | | each record as a numbered line | 10697 | | | of hex values, | 10698 | | | followed by the | 10699 | | | same data as ASCII characters. | 10700 | | | The two parts are | 10701 | | | separated by a | 10702 | | | vertical bar. Nonprinting | 10703 | | | characters are replaced | 10704 | | | by dots. | 10705 | | | -f | 10706 | | | Turn on fancy | 10707 | | | printing. Output is printed in | 10708 | | | colored HTML. Data | 10709 | | | sent from the | 10710 | | | client to the server is in | 10711 | | | blue; the server's reply | 10712 | | | is in red. When | 10713 | | | used with looping mode, the | 10714 | | | different connections | 10715 | | | are separated with | 10716 | | | horizontal lines. You can use | 10717 | | | this option to | 10718 | | | upload the output | 10719 | | | into a browser. | 10720 | | | -s | 10721 | | | Turn on SSL parsing | 10722 | | | and decoding. The tool does | 10723 | | | not automatically | 10724 | | | detect SSL | 10725 | | | sessions. If you are | 10726 | | | intercepting an SSL | 10727 | | | connection, | 10728 | | | use this option so | 10729 | | | that the tool can detect and | 10730 | | | decode SSL | 10731 | | | structures. | 10732 | | | If the tool detects | 10733 | | | a certificate chain, it saves | 10734 | | | the DER-encoded | 10735 | | | certificates into | 10736 | | | files in the current | 10737 | | | directory. The files are | 10738 | | | named cert.0x, | 10739 | | | where x is the sequence number | 10740 | | | of the certificate. | 10741 | | | If the -s option is | 10742 | | | used with -h, two separate | 10743 | | | parts are printed | 10744 | | | for each record: | 10745 | | | the plain hex/ASCII output, | 10746 | | | and the parsed SSL | 10747 | | | output. | 10748 | | | -x | 10749 | | | Turn on hex/ASCII | 10750 | | | printing of undecoded data | 10751 | | | inside parsed SSL | 10752 | | | records. Used only | 10753 | | | with the -s option. This | 10754 | | | option uses the same | 10755 | | | output format as | 10756 | | | the -h option. | 10757 | | | -l prefix | 10758 | | | Turn on looping; | 10759 | | | that is, continue to accept | 10760 | | | connections rather | 10761 | | | than stopping after | 10762 | | | the first connection is | 10763 | | | complete. | 10764 | | | -p port | 10765 | | | Change the default | 10766 | | | rendezvous port (1924) to | 10767 | | | another port. | 10768 | | | The following are | 10769 | | | well-known port numbers: | 10770 | | | \* HTTP 80 | 10771 | | | \* HTTPS 443 | 10772 | | | \* SMTP 25 | 10773 | | | \* FTP 21 | 10774 | | | \* IMAP 143 | 10775 | | | \* IMAPS 993 (IMAP | 10776 | | | over SSL) | 10777 | | | \* NNTP 119 | 10778 | | | \* NNTPS 563 (NNTP | 10779 | | | over SSL) | 10780 | | | Usage and Examples | 10781 | | | You can use the SSL | 10782 | | | Debugging Tool to intercept | 10783 | | | any connection | 10784 | | | information. Although you | 10785 | | | can run the tool at its most | 10786 | | | basic by issuing | 10787 | | | the ssltap command with no | 10788 | | | options other than | 10789 | | | hostname:port, the | 10790 | | | information you get in this | 10791 | | | way is not very useful. For | 10792 | | | example, assume | 10793 | | | your development machine is | 10794 | | | called intercept. The simplest | 10795 | | | way to use the | 10796 | | | debugging tool is to | 10797 | | | execute the following command | 10798 | | | from a command shell: | 10799 | | | $ ssltap www.netscape.com | 10800 | | | The program waits for an | 10801 | | | incoming connection on the | 10802 | | | default port 1924. In | 10803 | | | your browser window, enter | 10804 | | | the URL http://intercept:1924. | 10805 | | | The browser | 10806 | | | retrieves the requested | 10807 | | | page from the server at | 10808 | | | www.netscape.com, but the | 10809 | | | page is intercepted and | 10810 | | | passed on to the browser by | 10811 | | | the debugging tool on | 10812 | | | intercept. On its way to | 10813 | | | the browser, the data is | 10814 | | | printed to the command | 10815 | | | shell from which you issued | 10816 | | | the command. Data sent from | 10817 | | | the client to the | 10818 | | | server is surrounded by the | 10819 | | | following symbols: --> [ data | 10820 | | | ] Data sent from | 10821 | | | the server to the client is | 10822 | | | surrounded by the following | 10823 | | | symbols: "left | 10824 | | | arrow"-- [ data ] The raw | 10825 | | | data stream is sent to | 10826 | | | standard output and is | 10827 | | | not interpreted in any way. | 10828 | | | This can result in peculiar | 10829 | | | effects, such as | 10830 | | | sounds, flashes, and even | 10831 | | | crashes of the command shell | 10832 | | | window. To output a | 10833 | | | basic, printable | 10834 | | | interpretation of the data, | 10835 | | | use the -h option, or, if you | 10836 | | | are looking at an SSL | 10837 | | | connection, the -s option. You | 10838 | | | will notice that the | 10839 | | | page you retrieved looks | 10840 | | | incomplete in the browser. | 10841 | | | This is because, by | 10842 | | | default, the tool closes | 10843 | | | down after the first | 10844 | | | connection is complete, so | 10845 | | | the browser is not able to | 10846 | | | load images. To make the tool | 10847 | | | continue to | 10848 | | | accept connections, switch | 10849 | | | on looping mode with the -l | 10850 | | | option. The | 10851 | | | following examples show the | 10852 | | | output from commonly used | 10853 | | | combinations of | 10854 | | | options. | 10855 | | | Example 1 | 10856 | | | $ ssltap.exe -sx -p 444 | 10857 | | | interzone.mcom.com:443 > | 10858 | | | sx.txt | 10859 | | | Output | 10860 | | | Connected to | 10861 | | | interzone.mcom.com:443 | 10862 | | | -->; [ | 10863 | | | alloclen = 66 bytes | 10864 | | | [ssl2] ClientHelloV2 { | 10865 | | | version = {0x03, | 10866 | | | 0x00} | 10867 | | | | 10868 | | | cipher-specs-length = 39 | 10869 | | | (0x27) | 10870 | | | sid-length = 0 | 10871 | | | (0x00) | 10872 | | | challenge-length | 10873 | | | = 16 (0x10) | 10874 | | | cipher-suites = { | 10875 | | | (0x010080) | 10876 | | | SSL2/RSA/RC4-128/MD5 | 10877 | | | (0x020080) | 10878 | | | SSL2/RSA/RC4-40/MD5 | 10879 | | | (0x030080) | 10880 | | | SSL2/RSA/RC2CBC128/MD5 | 10881 | | | (0x040080) | 10882 | | | SSL2/RSA/RC2CBC40/MD5 | 10883 | | | (0x060040) | 10884 | | | SSL2/RSA/DES64CBC/MD5 | 10885 | | | (0x0700c0) | 10886 | | | SSL2/RSA/3DES192EDE-CBC/MD5 | 10887 | | | (0x000004) | 10888 | | | SSL3/RSA/RC4-128/MD5 | 10889 | | | (0x00ffe0) | 10890 | | | SS | 10891 | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | 10892 | | | (0x00000a) | 10893 | | | SSL3/RSA/3DES192EDE-CBC/SHA | 10894 | | | (0x00ffe1) | 10895 | | | SSL3/RSA-FIPS/DES64CBC/SHA | 10896 | | | (0x000009) | 10897 | | | SSL3/RSA/DES64CBC/SHA | 10898 | | | (0x000003) | 10899 | | | SSL3/RSA/RC4-40/MD5 | 10900 | | | (0x000006) | 10901 | | | SSL3/RSA/RC2CBC40/MD5 | 10902 | | | } | 10903 | | | session-id = { } | 10904 | | | challenge = { | 10905 | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | 10906 | | | 0x7b70 0x8fe9 0xd1d3 | 10907 | | | 0x2592 } | 10908 | | | } | 10909 | | | ] | 10910 | | | <-- [ | 10911 | | | SSLRecord { | 10912 | | | 0: 16 03 00 03 | 10913 | | | e5 | 10914 | | | | 10915 | | | \|..... | 10916 | | | type = 22 (handshake) | 10917 | | | version = { 3,0 } | 10918 | | | length = 997 (0x3e5) | 10919 | | | handshake { | 10920 | | | 0: 02 00 00 | 10921 | | | 46 | 10922 | | | | 10923 | | | \|...F | 10924 | | | type = 2 (server_hello) | 10925 | | | length = 70 (0x000046) | 10926 | | | ServerHello { | 10927 | | | server_version = | 10928 | | | {3, 0} | 10929 | | | random = {...} | 10930 | | | 0: 77 8c 6e 26 6c 0c ec | 10931 | | | c0 d9 58 4f 47 d3 2d 01 45 | 10932 | | | \| | 10933 | | | wn&l.ì..XOG.-.E | 10934 | | | 10: 5c 17 75 43 a7 4c 88 | 10935 | | | c7 88 64 3c 50 41 48 4f 7f | 10936 | | | \| | 10937 | | | \.uC§L.Ç.d<PAHO. | 10938 | | | session ID | 10939 | | | = { | 10940 | | | length = 32 | 10941 | | | contents = | 10942 | | | {..} | 10943 | | | 0: 14 11 07 a8 2a 31 91 | 10944 | | | 29 11 94 40 37 57 10 a7 32 | 10945 | | | \| ...¨*1.)..@7W.§2 | 10946 | | | 10: 56 6f 52 62 fe 3d b3 | 10947 | | | 65 b1 e4 13 0f 52 a3 c8 f6 | 10948 | | | \| VoRbþ=³e±...R£È. | 10949 | | | } | 10950 | | | cipher_suite = | 10951 | | | (0x0003) SSL3/RSA/RC4-40/MD5 | 10952 | | | } | 10953 | | | 0: 0b 00 02 | 10954 | | | c5 | 10955 | | | | 10956 | | | \|...Å | 10957 | | | type = 11 (certificate) | 10958 | | | length = 709 (0x0002c5) | 10959 | | | CertificateChain | 10960 | | | { | 10961 | | | chainlength = 706 | 10962 | | | (0x02c2) | 10963 | | | Certificate { | 10964 | | | size = 703 | 10965 | | | (0x02bf) | 10966 | | | data = { saved | 10967 | | | in file 'cert.001' } | 10968 | | | } | 10969 | | | } | 10970 | | | 0: 0c 00 00 | 10971 | | | ca | 10972 | | | | 10973 | | | \|.... | 10974 | | | type = 12 | 10975 | | | (server_key_exchange) | 10976 | | | length = 202 | 10977 | | | (0x0000ca) | 10978 | | | 0: 0e 00 00 | 10979 | | | 00 | 10980 | | | | 10981 | | | \|.... | 10982 | | | type = 14 | 10983 | | | (server_hello_done) | 10984 | | | length = 0 | 10985 | | | (0x000000) | 10986 | | | } | 10987 | | | } | 10988 | | | ] | 10989 | | | --> [ | 10990 | | | SSLRecord { | 10991 | | | 0: 16 03 00 00 | 10992 | | | 44 | 10993 | | | | 10994 | | | \|....D | 10995 | | | type = 22 (handshake) | 10996 | | | version = { 3,0 } | 10997 | | | length = 68 (0x44) | 10998 | | | handshake { | 10999 | | | 0: 10 00 00 | 11000 | | | 40 | 11001 | | | | 11002 | | | \|...@ | 11003 | | | type = 16 | 11004 | | | (client_key_exchange) | 11005 | | | length = 64 (0x000040) | 11006 | | | ClientKeyExchange { | 11007 | | | message = {...} | 11008 | | | } | 11009 | | | } | 11010 | | | } | 11011 | | | ] | 11012 | | | --> [ | 11013 | | | SSLRecord { | 11014 | | | 0: 14 03 00 00 | 11015 | | | 01 | 11016 | | | | 11017 | | | \|..... | 11018 | | | type = 20 | 11019 | | | (change_cipher_spec) | 11020 | | | version = { 3,0 } | 11021 | | | length = 1 (0x1) | 11022 | | | 0: | 11023 | | | 01 | 11024 | | | | 11025 | | | \|. | 11026 | | | } | 11027 | | | SSLRecord { | 11028 | | | 0: 16 03 00 00 | 11029 | | | 38 | 11030 | | | | 11031 | | | \|....8 | 11032 | | | type = 22 (handshake) | 11033 | | | version = { 3,0 } | 11034 | | | length = 56 (0x38) | 11035 | | | < encrypted > | 11036 | | | } | 11037 | | | ] | 11038 | | | <-- [ | 11039 | | | SSLRecord { | 11040 | | | 0: 14 03 00 00 | 11041 | | | 01 | 11042 | | | | 11043 | | | \|..... | 11044 | | | type = 20 | 11045 | | | (change_cipher_spec) | 11046 | | | version = { 3,0 } | 11047 | | | length = 1 (0x1) | 11048 | | | 0: | 11049 | | | 01 | 11050 | | | | 11051 | | | \|. | 11052 | | | } | 11053 | | | ] | 11054 | | | <-- [ | 11055 | | | SSLRecord { | 11056 | | | 0: 16 03 00 00 | 11057 | | | 38 | 11058 | | | | 11059 | | | \|....8 | 11060 | | | type = 22 (handshake) | 11061 | | | version = { 3,0 } | 11062 | | | length = 56 (0x38) | 11063 | | | < encrypted | 11064 | | | > | 11065 | | | } | 11066 | | | ] | 11067 | | | --> [ | 11068 | | | SSLRecord { | 11069 | | | 0: 17 03 00 01 | 11070 | | | 1f | 11071 | | | | 11072 | | | \|..... | 11073 | | | type = 23 | 11074 | | | (application_data) | 11075 | | | version = { 3,0 } | 11076 | | | length = 287 (0x11f) | 11077 | | | < encrypted > | 11078 | | | } | 11079 | | | ] | 11080 | | | <-- [ | 11081 | | | SSLRecord { | 11082 | | | 0: 17 03 00 00 | 11083 | | | a0 | 11084 | | | | 11085 | | | \|.... | 11086 | | | type = 23 | 11087 | | | (application_data) | 11088 | | | version = { 3,0 } | 11089 | | | length = 160 (0xa0) | 11090 | | | < encrypted > | 11091 | | | } | 11092 | | | ] | 11093 | | | <-- [ | 11094 | | | SSLRecord { | 11095 | | | 0: 17 03 00 00 | 11096 | | | df | 11097 | | | | 11098 | | | \|....ß | 11099 | | | type = 23 | 11100 | | | (application_data) | 11101 | | | version = { 3,0 } | 11102 | | | length = 223 (0xdf) | 11103 | | | < encrypted > | 11104 | | | } | 11105 | | | SSLRecord { | 11106 | | | 0: 15 03 00 00 | 11107 | | | 12 | 11108 | | | | 11109 | | | \|..... | 11110 | | | type = 21 (alert) | 11111 | | | version = { 3,0 } | 11112 | | | length = 18 (0x12) | 11113 | | | < encrypted > | 11114 | | | } | 11115 | | | ] | 11116 | | | Server socket closed. | 11117 | | | Example 2 | 11118 | | | The -s option turns on SSL | 11119 | | | parsing. Because the -x option | 11120 | | | is not used in | 11121 | | | this example, undecoded | 11122 | | | values are output as raw data. | 11123 | | | The output is | 11124 | | | routed to a text file. | 11125 | | | $ ssltap -s -p 444 | 11126 | | | interzone.mcom.com:443 > s.txt | 11127 | | | Output | 11128 | | | Connected to | 11129 | | | interzone.mcom.com:443 | 11130 | | | --> [ | 11131 | | | alloclen = 63 bytes | 11132 | | | [ssl2] ClientHelloV2 { | 11133 | | | version = {0x03, | 11134 | | | 0x00} | 11135 | | | | 11136 | | | cipher-specs-length = 36 | 11137 | | | (0x24) | 11138 | | | sid-length = 0 | 11139 | | | (0x00) | 11140 | | | challenge-length | 11141 | | | = 16 (0x10) | 11142 | | | cipher-suites = { | 11143 | | | (0x010080) | 11144 | | | SSL2/RSA/RC4-128/MD5 | 11145 | | | (0x020080) | 11146 | | | SSL2/RSA/RC4-40/MD5 | 11147 | | | (0x030080) | 11148 | | | SSL2/RSA/RC2CBC128/MD5 | 11149 | | | (0x060040) | 11150 | | | SSL2/RSA/DES64CBC/MD5 | 11151 | | | (0x0700c0) | 11152 | | | SSL2/RSA/3DES192EDE-CBC/MD5 | 11153 | | | (0x000004) | 11154 | | | SSL3/RSA/RC4-128/MD5 | 11155 | | | (0x00ffe0) | 11156 | | | SS | 11157 | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | 11158 | | | (0x00000a) | 11159 | | | SSL3/RSA/3DES192EDE-CBC/SHA | 11160 | | | (0x00ffe1) | 11161 | | | SSL3/RSA-FIPS/DES64CBC/SHA | 11162 | | | (0x000009) | 11163 | | | SSL3/RSA/DES64CBC/SHA | 11164 | | | (0x000003) | 11165 | | | SSL3/RSA/RC4-40/MD5 | 11166 | | | } | 11167 | | | session-id = { | 11168 | | | } | 11169 | | | challenge = { | 11170 | | | 0x713c 0x9338 0x30e1 0xf8d6 | 11171 | | | 0xb934 0x7351 0x200c | 11172 | | | 0x3fd0 } | 11173 | | | ] | 11174 | | | >-- [ | 11175 | | | SSLRecord { | 11176 | | | type = 22 (handshake) | 11177 | | | version = { 3,0 } | 11178 | | | length = 997 (0x3e5) | 11179 | | | handshake { | 11180 | | | type = 2 | 11181 | | | (server_hello) | 11182 | | | length = 70 | 11183 | | | (0x000046) | 11184 | | | ServerHello { | 11185 | | | server_version = | 11186 | | | {3, 0} | 11187 | | | random = {...} | 11188 | | | session ID = { | 11189 | | | length = 32 | 11190 | | | contents = | 11191 | | | {..} | 11192 | | | } | 11193 | | | cipher_suite = | 11194 | | | (0x0003) SSL3/RSA/RC4-40/MD5 | 11195 | | | } | 11196 | | | type = 11 | 11197 | | | (certificate) | 11198 | | | length = 709 | 11199 | | | (0x0002c5) | 11200 | | | CertificateChain | 11201 | | | { | 11202 | | | chainlength = | 11203 | | | 706 (0x02c2) | 11204 | | | Certificate { | 11205 | | | size = 703 | 11206 | | | (0x02bf) | 11207 | | | data = { | 11208 | | | saved in file 'cert.001' } | 11209 | | | } | 11210 | | | } | 11211 | | | type = 12 | 11212 | | | (server_key_exchange) | 11213 | | | length = 202 | 11214 | | | (0x0000ca) | 11215 | | | type = 14 | 11216 | | | (server_hello_done) | 11217 | | | length = 0 | 11218 | | | (0x000000) | 11219 | | | } | 11220 | | | } | 11221 | | | ] | 11222 | | | --> [ | 11223 | | | SSLRecord { | 11224 | | | type = 22 (handshake) | 11225 | | | version = { 3,0 } | 11226 | | | length = 68 (0x44) | 11227 | | | handshake { | 11228 | | | type = 16 | 11229 | | | (client_key_exchange) | 11230 | | | length = 64 | 11231 | | | (0x000040) | 11232 | | | ClientKeyExchange | 11233 | | | { | 11234 | | | message = | 11235 | | | {...} | 11236 | | | } | 11237 | | | } | 11238 | | | } | 11239 | | | ] | 11240 | | | --> [ | 11241 | | | SSLRecord { | 11242 | | | type = 20 | 11243 | | | (change_cipher_spec) | 11244 | | | version = { 3,0 } | 11245 | | | length = 1 (0x1) | 11246 | | | } | 11247 | | | SSLRecord { | 11248 | | | type = 22 (handshake) | 11249 | | | version = { 3,0 } | 11250 | | | length = 56 (0x38) | 11251 | | | > encrypted > | 11252 | | | } | 11253 | | | ] | 11254 | | | >-- [ | 11255 | | | SSLRecord { | 11256 | | | type = 20 | 11257 | | | (change_cipher_spec) | 11258 | | | version = { 3,0 } | 11259 | | | length = 1 (0x1) | 11260 | | | } | 11261 | | | ] | 11262 | | | >-- [ | 11263 | | | SSLRecord { | 11264 | | | type = 22 (handshake) | 11265 | | | version = { 3,0 } | 11266 | | | length = 56 (0x38) | 11267 | | | > encrypted > | 11268 | | | } | 11269 | | | ] | 11270 | | | --> [ | 11271 | | | SSLRecord { | 11272 | | | type = 23 | 11273 | | | (application_data) | 11274 | | | version = { 3,0 } | 11275 | | | length = 287 (0x11f) | 11276 | | | > encrypted > | 11277 | | | } | 11278 | | | ] | 11279 | | | [ | 11280 | | | SSLRecord { | 11281 | | | type = 23 | 11282 | | | (application_data) | 11283 | | | version = { 3,0 } | 11284 | | | length = 160 (0xa0) | 11285 | | | > encrypted > | 11286 | | | } | 11287 | | | ] | 11288 | | | >-- [ | 11289 | | | SSLRecord { | 11290 | | | type = 23 | 11291 | | | (application_data) | 11292 | | | version = { 3,0 } | 11293 | | | length = 223 (0xdf) | 11294 | | | > encrypted > | 11295 | | | } | 11296 | | | SSLRecord { | 11297 | | | type = 21 (alert) | 11298 | | | version = { 3,0 } | 11299 | | | length = 18 (0x12) | 11300 | | | > encrypted > | 11301 | | | } | 11302 | | | ] | 11303 | | | Server socket closed. | 11304 | | | Example 3 | 11305 | | | In this example, the -h | 11306 | | | option turns hex/ASCII format. | 11307 | | | There is no SSL | 11308 | | | parsing or decoding. The | 11309 | | | output is routed to a text | 11310 | | | file. | 11311 | | | $ ssltap -h -p 444 | 11312 | | | interzone.mcom.com:443 > h.txt | 11313 | | | Output | 11314 | | | Connected to | 11315 | | | interzone.mcom.com:443 | 11316 | | | --> [ | 11317 | | | 0: 80 40 01 03 00 00 27 | 11318 | | | 00 00 00 10 01 00 80 02 00 | 11319 | | | \| .@....'......... | 11320 | | | 10: 80 03 00 80 04 00 80 | 11321 | | | 06 00 40 07 00 c0 00 00 04 | 11322 | | | \| .........@...... | 11323 | | | 20: 00 ff e0 00 00 0a 00 | 11324 | | | ff e1 00 00 09 00 00 03 00 | 11325 | | | \| ........á....... | 11326 | | | 30: 00 06 9b fe 5b 56 96 | 11327 | | | 49 1f 9f ca dd d5 ba b9 52 | 11328 | | | \| ..þ[V.I.\xd9 ...º¹R | 11329 | | | 40: 6f | 11330 | | | 2d | 11331 | | | | 11332 | | | \|o- | 11333 | | | ] | 11334 | | | <-- [ | 11335 | | | 0: 16 03 00 03 e5 02 00 | 11336 | | | 00 46 03 00 7f e5 0d 1b 1d | 11337 | | | \| ........F....... | 11338 | | | 10: 68 7f 3a 79 60 d5 17 | 11339 | | | 3c 1d 9c 96 b3 88 d2 69 3b | 11340 | | | \| h.:y`..<..³.Òi; | 11341 | | | 20: 78 e2 4b 8b a6 52 12 | 11342 | | | 4b 46 e8 c2 20 14 11 89 05 | 11343 | | | \| x.K.¦R.KFè. ... | 11344 | | | 30: 4d 52 91 fd 93 e0 51 | 11345 | | | 48 91 90 08 96 c1 b6 76 77 | 11346 | | | \| MR.ý..QH.....¶vw | 11347 | | | 40: 2a f4 00 08 a1 06 61 | 11348 | | | a2 64 1f 2e 9b 00 03 00 0b | 11349 | | | \| \*ô..¡.a¢d...... | 11350 | | | 50: 00 02 c5 00 02 c2 00 | 11351 | | | 02 bf 30 82 02 bb 30 82 02 | 11352 | | | \| ..Å......0...0.. | 11353 | | | 60: 24 a0 03 02 01 02 02 | 11354 | | | 02 01 36 30 0d 06 09 2a 86 | 11355 | | | \| $ .......60...*. | 11356 | | | 70: 48 86 f7 0d 01 01 04 | 11357 | | | 05 00 30 77 31 0b 30 09 06 | 11358 | | | \| H.÷......0w1.0.. | 11359 | | | 80: 03 55 04 06 13 02 55 | 11360 | | | 53 31 2c 30 2a 06 03 55 04 | 11361 | | | \| .U....US1,0*..U. | 11362 | | | 90: 0a 13 23 4e 65 74 73 | 11363 | | | 63 61 70 65 20 43 6f 6d 6d | 11364 | | | \| ..#Netscape Comm | 11365 | | | a0: 75 6e 69 63 61 74 69 | 11366 | | | 6f 6e 73 20 43 6f 72 70 6f | 11367 | | | \| unications Corpo | 11368 | | | b0: 72 61 74 69 6f 6e 31 | 11369 | | | 11 30 0f 06 03 55 04 0b 13 | 11370 | | | \| ration1.0...U... | 11371 | | | c0: 08 48 61 72 64 63 6f | 11372 | | | 72 65 31 27 30 25 06 03 55 | 11373 | | | \| .Hardcore1'0%..U | 11374 | | | d0: 04 03 13 1e 48 61 72 | 11375 | | | 64 63 6f 72 65 20 43 65 72 | 11376 | | | \| ....Hardcore Cer | 11377 | | | e0: 74 69 66 69 63 61 74 | 11378 | | | 65 20 53 65 72 76 65 72 20 | 11379 | | | \| tificate Server | 11380 | | | f0: 49 49 30 1e 17 0d 39 | 11381 | | | 38 30 35 31 36 30 31 30 33 | 11382 | | | \| II0...9805160103 | 11383 | | | <additional data lines> | 11384 | | | ] | 11385 | | | <additional records in same | 11386 | | | format> | 11387 | | | Server socket closed. | 11388 | | | Example 4 | 11389 | | | In this example, the -s | 11390 | | | option turns on SSL parsing, | 11391 | | | and the -h option | 11392 | | | turns on hex/ASCII format. | 11393 | | | Both formats are shown for | 11394 | | | each record. The | 11395 | | | output is routed to a text | 11396 | | | file. | 11397 | | | $ ssltap -hs -p 444 | 11398 | | | interzone.mcom.com:443 > | 11399 | | | hs.txt | 11400 | | | Output | 11401 | | | Connected to | 11402 | | | interzone.mcom.com:443 | 11403 | | | --> [ | 11404 | | | 0: 80 3d 01 03 00 00 24 | 11405 | | | 00 00 00 10 01 00 80 02 00 | 11406 | | | \| .=....$......... | 11407 | | | 10: 80 03 00 80 04 00 80 | 11408 | | | 06 00 40 07 00 c0 00 00 04 | 11409 | | | \| .........@...... | 11410 | | | 20: 00 ff e0 00 00 0a 00 | 11411 | | | ff e1 00 00 09 00 00 03 03 | 11412 | | | \| ........á....... | 11413 | | | 30: 55 e6 e4 99 79 c7 d7 | 11414 | | | 2c 86 78 96 5d b5 cf e9 | 11415 | | | \|U..yÇ\xb0 ,.x.]µÏé | 11416 | | | alloclen = 63 bytes | 11417 | | | [ssl2] ClientHelloV2 { | 11418 | | | version = {0x03, | 11419 | | | 0x00} | 11420 | | | | 11421 | | | cipher-specs-length = 36 | 11422 | | | (0x24) | 11423 | | | sid-length = 0 | 11424 | | | (0x00) | 11425 | | | challenge-length | 11426 | | | = 16 (0x10) | 11427 | | | cipher-suites = { | 11428 | | | (0x010080) | 11429 | | | SSL2/RSA/RC4-128/MD5 | 11430 | | | (0x020080) | 11431 | | | SSL2/RSA/RC4-40/MD5 | 11432 | | | (0x030080) | 11433 | | | SSL2/RSA/RC2CBC128/MD5 | 11434 | | | (0x040080) | 11435 | | | SSL2/RSA/RC2CBC40/MD5 | 11436 | | | (0x060040) | 11437 | | | SSL2/RSA/DES64CBC/MD5 | 11438 | | | (0x0700c0) | 11439 | | | SSL2/RSA/3DES192EDE-CBC/MD5 | 11440 | | | (0x000004) | 11441 | | | SSL3/RSA/RC4-128/MD5 | 11442 | | | (0x00ffe0) | 11443 | | | SS | 11444 | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | 11445 | | | (0x00000a) | 11446 | | | SSL3/RSA/3DES192EDE-CBC/SHA | 11447 | | | (0x00ffe1) | 11448 | | | SSL3/RSA-FIPS/DES64CBC/SHA | 11449 | | | (0x000009) | 11450 | | | SSL3/RSA/DES64CBC/SHA | 11451 | | | (0x000003) | 11452 | | | SSL3/RSA/RC4-40/MD5 | 11453 | | | } | 11454 | | | session-id = { } | 11455 | | | challenge = { | 11456 | | | 0x0355 0xe6e4 0x9979 0xc7d7 | 11457 | | | 0x2c86 0x7896 0x5db | 11458 | | | 0xcfe9 } | 11459 | | | } | 11460 | | | ] | 11461 | | | <additional records in same | 11462 | | | formats> | 11463 | | | Server socket closed. | 11464 | | | Usage Tips | 11465 | | | When SSL restarts a | 11466 | | | previous session, it makes use | 11467 | | | of cached information | 11468 | | | to do a partial handshake. | 11469 | | | If you wish to capture a full | 11470 | | | SSL handshake, | 11471 | | | restart the browser to | 11472 | | | clear the session id cache. | 11473 | | | If you run the tool on a | 11474 | | | machine other than the SSL | 11475 | | | server to which you | 11476 | | | are trying to connect, the | 11477 | | | browser will complain that the | 11478 | | | host name you | 11479 | | | are trying to connect to is | 11480 | | | different from the | 11481 | | | certificate. If you are | 11482 | | | using the default BadCert | 11483 | | | callback, you can still | 11484 | | | connect through a | 11485 | | | dialog. If you are not | 11486 | | | using the default BadCert | 11487 | | | callback, the one you | 11488 | | | supply must allow for this | 11489 | | | possibility. | 11490 | | | See Also | 11491 | | | The NSS Security Tools are | 11492 | | | also documented at | 11493 | | | | 11494 | | | [1]\ `http://www.mozil | 11495 | | | la.org/projects/security/pki/n | 11496 | | | ss/ <https://www.mozilla.org/p | 11497 | | | rojects/security/pki/nss/>`__. | 11498 | | | Additional Resources | 11499 | | | NSS is maintained in | 11500 | | | conjunction with PKI and | 11501 | | | security-related projects | 11502 | | | through Mozilla dn Fedora. | 11503 | | | The most closely-related | 11504 | | | project is Dogtag PKI, | 11505 | | | with a project wiki at | 11506 | | | [2]\ http: | 11507 | | | //pki.fedoraproject.org/wiki/. | 11508 | | | For information | 11509 | | | specifically about NSS, the | 11510 | | | NSS project wiki is located at | 11511 | | | | 11512 | | | [3]\ `http://www.mozil | 11513 | | | la.org/projects/security/pki/n | 11514 | | | ss/ <https://www.mozilla.org/p | 11515 | | | rojects/security/pki/nss/>`__. | 11516 | | | The NSS site relates | 11517 | | | directly to NSS code | 11518 | | | changes and releases. | 11519 | | | Mailing lists: | 11520 | | | pki-devel@redhat.com and | 11521 | | | pki-users@redhat.com | 11522 | | | IRC: Freenode at | 11523 | | | #dogtag-pki | 11524 | | | Authors | 11525 | | | The NSS tools were written | 11526 | | | and maintained by developers | 11527 | | | with Netscape and | 11528 | | | now with Red Hat and Sun. | 11529 | | | Authors: Elio Maldonado | 11530 | | | <emaldona@redhat.com>, Deon | 11531 | | | Lackey | 11532 | | | <dlackey@redhat.com>. | 11533 | | | Copyright | 11534 | | | (c) 2010, Red Hat, Inc. | 11535 | | | Licensed under the GNU Public | 11536 | | | License version 2. | 11537 | | | References | 11538 | | | Visible links | 11539 | | | 1. | 11540 | | | `http://www.mozilla.org/p | 11541 | | | rojects/secu.../pki/nss/tools | 11542 | | | <https://www.mozilla.org/proje | 11543 | | | cts/security/pki/nss/tools>`__ | 11544 | | | 2. | 11545 | | | http | 11546 | | | ://pki.fedoraproject.org/wiki/ | 11547 | | | 3. | 11548 | | | `http://www.mozi | 11549 | | | lla.org/projects/security/pki/ | 11550 | | | nss/ <https://www.mozilla.org/ | 11551 | | | projects/security/pki/nss/>`__ | 11552 +--------------------------------+--------------------------------+--------------------------------+ 11553 | | | | 11554 +--------------------------------+--------------------------------+--------------------------------+ 11555 | 358 | :ref:`mozill | | 11556 | | a_projects_nss_tools_vfychain` | | 11557 +--------------------------------+--------------------------------+--------------------------------+ 11558 | | | Name | 11559 | | | vfychain — vfychain | 11560 | | | [options] [revocation options] | 11561 | | | certfile [[options] | 11562 | | | certfile] ... | 11563 | | | Synopsis | 11564 | | | vfychain | 11565 | | | Description | 11566 | | | The verification Tool, | 11567 | | | vfychain, verifies certificate | 11568 | | | chains. modutil can | 11569 | | | add and delete PKCS #11 | 11570 | | | modules, change passwords on | 11571 | | | security databases, | 11572 | | | set defaults, list module | 11573 | | | contents, enable or disable | 11574 | | | slots, enable or | 11575 | | | disable FIPS 140-2 | 11576 | | | compliance, and assign default | 11577 | | | providers for | 11578 | | | cryptographic operations. | 11579 | | | This tool can also create | 11580 | | | certificate, key, and | 11581 | | | module security database | 11582 | | | files. | 11583 | | | The tasks associated with | 11584 | | | security module database | 11585 | | | management are part of | 11586 | | | a process that typically | 11587 | | | also involves managing key | 11588 | | | databases and | 11589 | | | certificate databases. | 11590 | | | Options | 11591 | | | -a | 11592 | | | the following | 11593 | | | certfile is base64 encoded | 11594 | | | -b YYMMDDHHMMZ | 11595 | | | Validate date | 11596 | | | (default: now) | 11597 | | | -d directory | 11598 | | | database directory | 11599 | | | -f | 11600 | | | Enable cert | 11601 | | | fetching from AIA URL | 11602 | | | -o oid | 11603 | | | Set policy OID for | 11604 | | | cert validation(Format | 11605 | | | OID.1.2.3) | 11606 | | | -p | 11607 | | | Use PKIX Library to | 11608 | | | validate certificate by | 11609 | | | calling: | 11610 | | | \* | 11611 | | | CERT_VerifyCertificate if | 11612 | | | specified once, | 11613 | | | \* | 11614 | | | CERT_PKIXVerifyCert if | 11615 | | | specified twice and more. | 11616 | | | -r | 11617 | | | Following certfile | 11618 | | | is raw binary DER (default) | 11619 | | | -t | 11620 | | | Following cert is | 11621 | | | explicitly trusted (overrides | 11622 | | | db trust) | 11623 | | | -u usage | 11624 | | | 0=SSL client, 1=SSL | 11625 | | | server, 2=SSL StepUp, 3=SSL | 11626 | | | CA, 4=Email | 11627 | | | signer, 5=Email | 11628 | | | recipient, 6=Object signer, | 11629 | | | | 11630 | | | 9=ProtectedObjectSigner, | 11631 | | | 10=OCSP responder, 11=Any CA | 11632 | | | -v | 11633 | | | Verbose mode. | 11634 | | | Prints root cert | 11635 | | | subject(double the argument | 11636 | | | for | 11637 | | | whole root cert | 11638 | | | info) | 11639 | | | -w password | 11640 | | | Database password | 11641 | | | -W pwfile | 11642 | | | Password file | 11643 | | | Revocation options | 11644 | | | for PKIX API (invoked with -pp | 11645 | | | options) is a | 11646 | | | collection of the | 11647 | | | following flags: [-g type [-h | 11648 | | | flags] [-m type | 11649 | | | [-s flags]] ...] | 11650 | | | ... | 11651 | | | Where: | 11652 | | | -g test-type | 11653 | | | Sets status | 11654 | | | checking test type. Possible | 11655 | | | values are "leaf" or | 11656 | | | "chain" | 11657 | | | -g test type | 11658 | | | Sets status | 11659 | | | checking test type. Possible | 11660 | | | values are "leaf" or | 11661 | | | "chain". | 11662 | | | -h test flags | 11663 | | | Sets revocation | 11664 | | | flags for the test type it | 11665 | | | follows. Possible | 11666 | | | flags: | 11667 | | | "testLocalInfoFirst" and | 11668 | | | "requireFreshInfo". | 11669 | | | -m method type | 11670 | | | Sets method type | 11671 | | | for the test type it follows. | 11672 | | | Possible types are | 11673 | | | "crl" and "ocsp". | 11674 | | | -s method flags | 11675 | | | Sets revocation | 11676 | | | flags for the method it | 11677 | | | follows. Possible types | 11678 | | | are "doNotUse", | 11679 | | | "forbidFetching", | 11680 | | | "ignoreDefaultSrc", | 11681 | | | "requireInfo" and | 11682 | | | "failIfNoInfo". | 11683 | | | Additional Resources | 11684 | | | For information about NSS | 11685 | | | and other tools related to NSS | 11686 | | | (like JSS), check | 11687 | | | out the NSS project wiki at | 11688 | | | | 11689 | | | [1]\ `http://www.mozil | 11690 | | | la.org/projects/security/pki/n | 11691 | | | ss/ <https://www.mozilla.org/p | 11692 | | | rojects/security/pki/nss/>`__. | 11693 | | | The NSS site relates | 11694 | | | directly to NSS code | 11695 | | | changes and releases. | 11696 | | | Mailing lists: | 11697 | | | https://lists.mozill | 11698 | | | a.org/listinfo/dev-tech-crypto | 11699 | | | IRC: Freenode at | 11700 | | | #dogtag-pki | 11701 | | | Authors | 11702 | | | The NSS tools were written | 11703 | | | and maintained by developers | 11704 | | | with Netscape, Red | 11705 | | | Hat, and Sun. | 11706 | | | Authors: Elio Maldonado | 11707 | | | <emaldona@redhat.com>, Deon | 11708 | | | Lackey | 11709 | | | <dlackey@redhat.com>. | 11710 | | | Copyright | 11711 | | | (c) 2010, Red Hat, Inc. | 11712 | | | Licensed under the GNU Public | 11713 | | | License version 2. | 11714 | | | References | 11715 | | | Visible links | 11716 | | | 1. | 11717 | | | `http://www.mozi | 11718 | | | lla.org/projects/security/pki/ | 11719 | | | nss/ <https://www.mozilla.org/ | 11720 | | | projects/security/pki/nss/>`__ | 11721 +--------------------------------+--------------------------------+--------------------------------+ 11722 | | | | 11723 +--------------------------------+--------------------------------+--------------------------------+ 11724 | 359 | :ref:`mozil | | 11725 | | la_projects_nss_tools_vfyserv` | | 11726 +--------------------------------+--------------------------------+--------------------------------+ 11727 | | | Coming soon | 11728 +--------------------------------+--------------------------------+--------------------------------+ 11729 | | | | 11730 +--------------------------------+--------------------------------+--------------------------------+ 11731 | 360 | :ref:`mozilla | **NSS** | 11732 | | _projects_nss_troubleshooting` | | 11733 +--------------------------------+--------------------------------+--------------------------------+ 11734 | | | On this page, let's collect | 11735 | | | information on how to | 11736 | | | troubleshoot NSS at runtime. | 11737 | | | Debugging tips, how to enable | 11738 | | | tracing of the various | 11739 | | | modules, etc. | 11740 +--------------------------------+--------------------------------+--------------------------------+ 11741 | | | | 11742 +--------------------------------+--------------------------------+--------------------------------+ 11743 | 361 | :ref:`mozilla_p | **NSS** | 11744 | | rojects_nss_utility_functions` | | 11745 +--------------------------------+--------------------------------+--------------------------------+ 11746 | | | The public functions listed | 11747 | | | here perform initialization | 11748 | | | tasks and other services. | 11749 +--------------------------------+--------------------------------+--------------------------------+ 11750 | | | | 11751 +--------------------------------+--------------------------------+--------------------------------+