1.. _mozilla_projects_nss_overview: 2 3Overview of NSS 4=============== 5 6.. container:: 7 8 .. rubric:: Open Source Crypto Libraries 9 :name: Open_Source_Crypto_Libraries 10 11.. _proven_application_security_architecture: 12 13`Proven Application Security Architecture <#proven_application_security_architecture>`__ 14~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 15 16.. container:: 17 18 If you want to add support for SSL, S/MIME, or other Internet security standards to your 19 application, you can use Network Security Services (NSS) to implement all your security features. 20 NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat, 21 Google, and other companies in a variety of products, including the following: 22 23 - `Mozilla products <https://www.mozilla.org/products/>`__, including 24 `Firefox <https://www.mozilla.com/firefox/>`__, 25 `Thunderbird <https://www.mozilla.com/thunderbird/>`__, 26 `SeaMonkey <https://seamonkey-project.org/>`__, and `Firefox 27 OS <https://support.mozilla.org/en-US/products/firefox-os>`__. 28 - AOL Instant Messenger (AIM) 29 - Open source client applications such as `Evolution <https://wiki.gnome.org/Apps/Evolution>`__, 30 `Pidgin <https://pidgin.im/>`__, `Apache OpenOffice <https://www.openoffice.org/>`__, and 31 `LibreOffice <https://www.libreoffice.org>`__. 32 - Server products from `Red Hat <https://www.redhat.com/en/technologies>`__: `Red Hat Directory 33 Server <https://www.redhat.com/en/technologies/cloud-computing/directory-server>`__, `Red Hat 34 Certificate 35 System <https://www.redhat.com/en/technologies/cloud-computing/certificate-system>`__, and the 36 `mod_nss <https://directory.fedoraproject.org/docs/389ds/administration/mod-nss.html>`__ SSL 37 module for the Apache web server. 38 - Server products from Oracle (formerly Sun Java Enterprise System), including `Oracle 39 Communications Messaging 40 Server <https://www.oracle.com/industries/communications/enterprise/products/messaging-server/index.html>`__ 41 and `Oracle Directory Server Enterprise 42 Edition <http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index-085178.html>`__. 43 - `SUSE Linux Enterprise Server <https://www.suse.com/products/server/>`__ supports NSS and the 44 `mod_nss <https://documentation.suse.com/sles/11-SP4/html/SLES-all/cha-apache2.html#sec-apache2-nss>`__ 45 SSL module for the Apache web server. 46 47 NSS includes a framework to which developers and OEMs can contribute patches, such as assembler 48 code, to optimize performance on their platforms. NSS 3.x has been certified on 18 platforms. 49 50 For more detailed information about NSS, see `wiki.mozilla.org <https://wiki.mozilla.org/NSS>`__ 51 and `NSS FAQ <NSS_FAQ>`__. 52 53 Source code for a Java interface to NSS is available in the Mozilla CVS tree. For details, see 54 `Network Security Services for Java <JSS>`__. 55 56 NSS makes use of Netscape Portable Runtime 57 (`NSPR <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR>`__), a platform-neutral 58 open-source API for system functions designed to facilitate cross-platform development. Like NSS, 59 NSPR has been battle-tested in multiple products. For more information, see the `NSPR Project 60 Page <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR>`__. 61 62.. _interoperability_and_open_standards: 63 64`Interoperability and Open Standards <#interoperability_and_open_standards>`__ 65~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 66 67.. container:: 68 69 You can use NSS to support a range of security standards in your application, including the 70 following: 71 72 - `SSL v3 </en-US/Glossary#SSL>`__. The Secure Sockets Layer (SSL) protocol allows mutual 73 authentication between a client and server and the establishment of an authenticated and 74 encrypted connection. 75 - TLS v1.3 (`RFC 8446 <https://datatracker.ietf.org/doc/html/rfc8446>`__), `TLS v1.2 (RFC 76 5246 <https://datatracker.ietf.org/doc/html/rfc5246>`__), `TLS v1.1 (RFC 77 4346 <https://datatracker.ietf.org/doc/html/rfc4346>`__), `TLS v1 78 ( <https://www.ietf.org/rfc/rfc2246.txt>`__\ `RFC 79 2246 <https://datatracker.ietf.org/doc/html/rfc2246>`__). The Transport Layer Security (TLS) 80 protocol from the IETF that supersedes SSL. 81 - `PKCS #1 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/index.html>`__. RSA standard that 82 governs implementation of public-key cryptography based on the RSA algorithm. 83 - `PKCS #3 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-3/index.html>`__. RSA standard that 84 governs implementation of Diffie-Hellman key agreement. 85 - `PKCS #5 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html>`__. RSA standard that 86 governs password-based cryptography, for example to encrypt private keys for storage. 87 - `PKCS #7 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/index.html>`__. RSA standard that 88 governs the application of cryptography to data, for example digital signatures and digital 89 envelopes. 90 - `PKCS #8 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-8/index.html>`__. RSA standard that 91 governs the storage and encryption of private keys. 92 - `PKCS #9 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-9/index.html>`__. RSA standard that 93 governs selected attribute types, including those used with PKCS #7, PKCS #8, and PKCS #10. 94 - `PKCS #10 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-10/index.html>`__. RSA standard that 95 governs the syntax for certificate requests. 96 - `PKCS #11 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/index.html>`__. RSA standard that 97 governs communication with cryptographic tokens (such as hardware accelerators and smart 98 cards) and permits application independence from specific algorithms and implementations. 99 - `PKCS #12 <https://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/index.html>`__. RSA standard that 100 governs the format used to store or transport private keys, certificates, and other secret 101 material. 102 - `S/MIME (RFC 2311 and RFC 2633) </en-US/Glossary#S.2FMIME>`__. IETF message specification 103 (based on the popular Internet MIME standard) that provides a consistent way to send and 104 receive signed and encrypted MIME data. 105 - `X.509 v3 <https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates>`__. 106 ITU standard that governs the format of certificates used for authentication in public-key 107 cryptography. 108 - `OCSP (RFC 2560) </en-US/Glossary#OCSP>`__. The Online Certificate Status Protocol (OCSP) 109 governs real-time confirmation of certificate validity. 110 - `PKIX Certificate and CRL Profile ( <https://www.ietf.org/rfc/rfc3280.txt>`__\ `RFC 111 3280 <https://datatracker.ietf.org/doc/html/rfc3280>`__). The first part of the four-part 112 standard under development by the Public-Key Infrastructure (X.509) working group of the IETF 113 (known at PKIX) for a public-key infrastructure for the Internet. 114 - RSA, DSA, ECDSA, Diffie-Hellman, EC Diffie-Hellman, 115 `AES <https://en.wikipedia.org/wiki/Advanced_Encryption_Standard>`__, Triple DES, DES, RC2, 116 RC4, SHA-1, SHA-256, SHA-384, SHA-512, MD2, MD5, HMAC: Common cryptographic algorithms used in 117 public-key and symmetric-key cryptography. 118 - FIPS 186-2 pseudorandom number generator. 119 120 For complete details, see `Encryption 121 Technologies <https://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html>`__. 122 123.. _fips_140_validation_and_niscc_testing: 124 125`FIPS 140 Validation and NISCC Testing <#fips_140_validation_and_niscc_testing>`__ 126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 127 128.. container:: 129 130 The NSS software crypto module has been validated three times for conformance to FIPS 140 at 131 Security Levels 1 and 2. For more information, see the `NSS FIPS <FIPS_Mode_-_an_explanation>`__ 132 page (`Or this one <https://wiki.mozilla.org/FIPS_Validation>`__). 133 134 The NSS libraries passed the NISCC 135 `TLS/SSL <https://www.niscc.gov.uk/niscc/docs/re-20030930-00749.pdf?lang=en>`__ and 136 `S/MIME <https://www.uniras.gov.uk/niscc/docs/re-20031104-00752.pdf?lang=en>`__ test suites (1.6 137 million test cases of invalid input data). 138 139.. _complete_software_development_kit: 140 141`Complete Software Development Kit <#complete_software_development_kit>`__ 142~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 143 144.. container:: 145 146 In addition to libraries and APIs, NSS provides :ref:`mozilla_projects_nss_tools` required for 147 debugging, diagnostics, certificate and key management, cryptography module management, and other 148 development tasks. 149 150 NSS comes with an extensive and growing set of :ref:`mozilla_projects_nss#documentation`, 151 including introductory material, API references, man pages for command-line tools, and 152 :ref:`mozilla_projects_nss_nss_sample_code`. 153 154 NSS is available as source and shared (dynamic) libraries. Every NSS release is backward 155 compatible with previous releases, allowing NSS users to upgrade to the new NSS shared libraries 156 without recompiling or relinking their applications. 157 158.. _open-source_licensing_and_distribution: 159 160`Open-Source Licensing and Distribution <#open-source_licensing_and_distribution>`__ 161~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 162 163.. container:: 164 165 NSS is available under the `Mozilla Public License <https://www.mozilla.org/MPL/>`__, version 2. 166 The latest source code is available for free worldwide from https://www.mozilla.org and its 167 mirror sites.