Index

Found 361 pages:

#

Page

Tags and summary

1

Network Security Services (NSS)

JSS, NSS, NeedsMigration

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.

2

mozilla_projects_nss _an_overview_of_nss_internals

API, Intermediate, Intro, NSS, Tools

A High-Level Overview to the Internals of Network Security Services (NSS) Software developed by the Mozilla.org projects traditionally used its own implementation of security protocols and cryptographic algorithms, originally called Netscape Security Services, nowadays called Network Security Services (NSS). NSS is a library written in the C programming language. It’s free and open source software, and many other software projects have decided to use it. In order to support multiple operating systems (OS), it is based on a cross platform portability layer, called the Netscape Portable Runtime (NSPR), which provides cross platform application programming interfaces (APIs) for OS specific APIs like file system access, memory management, network communication, and multithreaded programming. NSS offers lots of functionality; we’ll walk through the list of modules, design principles, and important relevant standards. In order to allow interoperability between software and devices that perform cryptographic operations, NSS conforms to a standard called PKCS#11. (Note that it’s important to look at the number 11, as there are other PKCS standards with different numbers that define quite different topics.) A software or hardware module conforming to the PKCS#11 standard implements an interface of C calls, which allow querying the characteristics and offered services of the module. Multiple elements of NSS’s own modules have been implemented with this interface, and NSS makes use of this interface when talking to those modules. This strategy allows NSS to work with many hardware devices (e.g., to speed up the calculations required for cryptographic operations, or to access smartcards that securely protect a secret key) and software modules (e.g., to allow to load such modules as a plugin that provides additional algorithms or stores key or trust information) that implement the PKCS#11 interface. A core element of NSS is FreeBL, a base library providing hash functions, big number calculations, and cryptographic algorithms. Softoken is an NSS module that exposes most FreeBL functionality as a PKCS#11 module. Some cryptography uses the same secret key for both encrypting and decrypting, for example password based encryption (PBE). This is often sufficient if you encrypt data for yourself, but as soon as you need to exchange signed/encrypted data with communication partners, using public key encryption simplifies the key management. The environment that describes how to use public key encryption is called Public Key Infrastructure (PKI). The public keys that are exchanged between parties are transported using a container; the container is called a certificate, following standard X.509 version 3. A certificate contains lots of other details; for example, it contains a signature by a third party that expresses trust in the ownership relationship for the certificate. The trust assigned by the third party might be restricted to certain uses, which are listed in certificate extensions that are contained in the certificate. Many (if not most) of the operations performed by NSS involve the use of X.509 certificates (often abbreviated as “cert”, unfortunately making it easy to confuse with the term “computer emergency response team“). When checking whether a certificate is trusted or not, it’s necessary to find a relevant trust anchor (root certificate) that represents the signing capability of a trusted third party, usually called a Certificate Authority (CA). A trust anchor is just another X.509 certificate that is already known and has been deliberately marked as trusted by a software vendor, administrators inside an organizational infrastructure, or the software user. NSS ships a predefined set of CA certificates. This set, including their trust assignments, is provided by NSS as a software module, called CKBI (“built-in root certificates”), which also implements the PKCS#11 interface. On an organizational level the contents of the set are managed according to the Mozilla CA policy. On a technical level the set is a binary software module. A cryptographic transaction, such as encryption or decryption related to a data exchange, usually involves working with the X.509 certs of your communication partners (peer). It’s also required that you safely keep your own secret keys that belong to your own certificates. You might want to protect the storage of your secret keys with PBE. You might decide to modify the default trust provided by NSS. All of this requires storing, looking up, and retrieving data. NSS simplifies performing these operations by offering storage and management APIs. NSS doesn’t require the programmer to manage individual files containing individual certificates or keys. Instead, NSS offers to use its own database(s). Once you have imported certificates and keys into the NSS database, you can easily look them up and use them again. Because of NSS’s expectation to operate with an NSS database, it’s mandatory that you perform an initialization call, where you tell NSS which database you will be using. In the most simple scenario, the programmer will provide a directory on your filesystem as a parameter to the init function, and NSS is designed to do the rest. It will detect and open an existing database, or it can create a new one. Alternatively, should you decide that you don’t want to work with any persistent recording of certificates, you may initialize NSS in a no-database mode. Usually, NSS will flush all data to disk as soon as new data has been added to permanent storage. Storage consists of multiple files: a key database file, which contains your secret keys, and a certificate database file which contains the public portion of your own certificates, the certificates of peers or CAs, and a list of trust decisions (such as to not trust a built-in CA, or to explicitly trust other CAs). Examples for the database files are key3.db and cert8.db, where the numbers are file version numbers. A third file contains the list of external PKCS#11 modules that have been registered to be used by NSS. The file could be named secmod.db, but in newer database generations a file named pkcs11.txt is used. Only NSS is allowed to access and manipulate these database files directly; a programmer using NSS must go through the APIs offered by NSS to manipulate the data stored in these files. The programmer’s task is to initialize NSS with the required parameters (such as a database), and NSS will then transparently manage the database files. Most of the time certificates and keys are supposed to be stored in the NSS database. Therefore, after initial import or creation, the programmer usually doesn’t deal with their raw bytes. Instead, the programmer will use lookup functions, and NSS will provide an access handle that will be subsequently used by the application’s code. Those handles are reference counted. NSS will usually create an in-memory (RAM) presentation of certificates, once a certificate has been received from the network, read from disk, or looked up from the database, and prepare in-memory data structures that contain the certificate’s properties, as well as providing a handle for the programmer to use. Once the application is done with a handle, it should be released, allowing NSS to free the associated resources. When working with handles to private keys it’s usually difficult (and undesired) that an application gets access to the raw key data; therefore it may be difficult to extract such data from NSS. The usual minimum requirement is that private keys must be wrapped using a protective layer (such as password-based encryption). The intention is to make it easier to review code for security. The less code that has access to raw secret keys, the less code that must be reviewed. NSS has only limited functionality to look up raw keys. The preferred approach is to use certificates, and to look up certificates by properties such as the contained subject name (information that describes the owner of the certificate). For example, while NSS supports random calculation (creation) of a new public/private key pair, it’s difficult to work with such a raw key pair. The usual approach is to create a certificate signing request (CSR) as soon as an application is done with the creation step, which will have created a handle to the key pair, and which can be used for the necessary related operations, like producing a proof-of-ownership of the private key, which is usually required when submitting the public key with a CSR to a CA. The usual follow up action is receiving a signed certificate from a CA. (However, it’s also possible to use NSS functionality to create a self-signed certificate, which, however, usually won’t be trusted by other parties.) Once received, it’s sufficient to tell NSS to import such a new certificate into the NSS database, and NSS will automatically perform a lookup of the embedded public key, be able to find the associated private key, and subsequently be able to treat it as a personal certificate. (A personal certificate is a certificate for which the private key is in possession, and which could be used for signing data or for decrypting data.) A unique nickname can/should be assigned to the certificate at the time of import, which can later be used to easily identify and retrieve it. It’s important to note that NSS requires strict cleanup for all handles returned by NSS. The application should always call the appropriate dereference (destroy) functions once a handle is no longer needed. This is particularly important for applications that might need to close a database and reinitialize NSS using a different one, without restarting. Such an operation might fail at runtime if data elements are still being referenced. In addition to the FreeBL, Softoken, and CKBI modules, there is an utility library for general operations (e.g., encoding/decoding between data formats, a list of standardized object identifiers (OID)). NSS has an SSL/TLS module that implements the Secure Sockets Layer/Transport Layer Security network protocols, an S/MIME module that implements CMS messaging used by secure email and some instant messaging implementations, a DBM library that implements the classic database storage, and finally a core NSS library for the big set of “everything else”. Newer generations of the database use the SQLite database to allow concurrent access by multiple applications. All of the above are provided as shared libraries. The CRMF library, which is used to produce certain kinds of certificate requests, is available as a library for static linking only. When dealing with certificates (X.509), file formats such as PKCS#12 (certificates and keys), PKCS#7 (signed data), and message formats as CMS, we should mention ASN.1, which is a syntax for storing structured data in a very efficient (small sized) presentation. It was originally developed for telecommunication systems at times where it was critical to minimize data as much as possible (although it still makes sense to use that principle today for good performance). In order to process data available in the ASN.1 format, the usual approach is to parse it and transfer it to a presentation that requires more space but is easier to work with, such as (nested) C data structures. Over the time NSS has received three different ASN.1 parser implementations, each having their own specific properties, advantages and disadvantages, which is why all of them are still being used (nobody has yet dared to replace the older with the newer ones because of risks for side effects). When using the ASN.1 parser(s), a template definition is passed to the parser, which will analyze the ASN.1 data stream accordingly. The templates are usually closely aligned to definitions found in RFC documents. A data block described as DER is usually in ASN.1 format. You must know which data you are expecting, and use the correct template for parsing, based on the context of your software’s interaction. Data described as PEM is a base64 encoded presentation of DER, usually wrapped between human readable BEGIN/END lines. NSS prefers the binary presentation, but is often capable to use base64 or ASCII presentations, especially when importing data from files. A recent development adds support for loading external PEM files that contain private keys, in a software library called nss-pem, which is separately available, but should eventually become a core part of NSS. Looking at the code level, NSS deals with blocks of raw data all the time. The common structure to store such an untyped block is SECItem, which contains a size and an untyped C pointer variable. When dealing with memory, NSS makes use of arenas, which are an attempt to simplify management with the limited offerings of C (because there are no destructors). The idea is to group multiple memory allocations in order to simplify cleanup. Performing an operation often involves allocating many individual data items, and the code might be required to abort a task at many positions in the logic. An arena is requested once processing of a task starts, and all memory allocations that are logically associated to that task are requested from the associated arena. The implementation of arenas makes sure that all individual memory blocks are tracked. Once a task is done, regardless whether it completed or was aborted, the programmer simply needs to release the arena, and all individually allocated blocks will be released automatically. Often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for attackers to extract keys from a memory dump. NSS uses many C data structures. Often NSS has multiple implementations for the same or similar concepts. For example, there are multiple presentations of certificates, and the NSS internals (and sometimes even the application using NSS) might have to convert between them. Key responsibilites of NSS are verification of signatures and certificates. In order to verify a digital signature, we have to look at the application data (e.g., a document that was signed), the signature data block (the digital signature), and a public key (as found in a certificate that is believed to be the signer, e.g., identified by metadata received together with the signature). The signature is verified if it can be shown that the signature data block must have been produced by the owner of the public key (because only that owner has the associated private key). Verifying a certificate (A) requires some additional steps. First, you must identify the potential signer (B) of a certificate (A). This is done by reading the “issuer name” attribute of a certificate (A), and trying to find that issuer certificate (B) (by looking for a certificate that uses that name as its “subject name”). Then you attempt to verify the signature found in (A) using the public key found in (B). It might be necessary to try multiple certificates (B1, B2, …) each having the same subject name. After succeeding, it might be necessary to repeat this procedure recursively. The goal is to eventually find a certificate B (or C or …) that has an appropriate trust assigned (e.g., because it can be found in the CKBI module and the user hasn’t made any overriding trust decisions, or it can be found in a NSS database file managed by the user or by the local environment). After having successfully verified the signatures in a (chain of) issuer certificate(s), we’re still not done with verifying the certificate A. In a PKI it’s suggested/required to perform additional checks. For example: Certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application policy it might be required to perform a revocation check (OCSP or CRL), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert). Trust anchors contained in the CKBI module are usually self signed, which is defined as having identical subject name and issuer name fields. If a self-signed certificate is marked as explicitly trusted, NSS will skip checking the self-signature for validity. NSS has multiple APIs to perform verification of certificates. There is a classic engine that is very stable and works fine in all simple scenarios, for example if all (B) candidate issuer certificates have the same subject and issuer names and differ by validity period; however, it works only in a limited amount of more advanced scenarios. Unfortunately, the world of certificates has become more complex in the recent past. New Certificate Authorities enter the global PKI market, and in order to get started with their business, they might make deals with established CAs and receive so-called cross-signing-certificates. As a result, when searching for a trust path from (A) to a trusted anchor (root) certificate (Z), the set of candidate issuer certificates might have different issuer names (referring to the second or higher issuer level). As a consequence, it will be necessary to try multiple different alternative routes while searching for (Z), in a recursive manner. Only the newer verification engine (internally named libPKIX) is capable of doing that properly. It’s worth mentioning the Extended Validation (EV) principle, which is an effort by software vendors and CAs to define a stricter set of rules for issuing certificates for web site certificates. Instead of simply verifying that the requester of a certificate is in control of an administrative email address at the desired web site’s domain, it’s required that the CA performs a verification of real world identity documents (such as a company registration document with the country’s authority), and it’s also required that a browser software performs a revocation check with the CA, prior to granting validity to the certificate. In order to distinguish an EV certificate, CAs will embed a policy OID in the certificate, and the browser is expected to verify that a trust chain permits the end entity (EE) certificate to make use of the policy. Only the APIs of the newer libPKIX engine are capable of performing a policy verification. That’s a good opportunity to talk about SSL/TLS connections to servers in general (not just EV, not just websites). Whenever this document mentions SSL, it refers to either SSL or TLS. (TLS is a newer version of SSL with enhanced features.) When establishing an SSL connection to a server, (at least) a server certificate (and its trust chain) is exchanged from the server to the client (e.g., the browser), and the client verifies that the certificate can be verified (including matching the name of the expected destination server). Another part of the handshake between both parties is a key exchange. Because public key encryption is more expensive (more calculations required) than symmetric encryption (where both parties use the same key), a key agreement protocol will be executed, where the public and private keys are used to proof and verify the exchanged initial information. Once the key agreement is done, a symmetric encryption will be used (until a potential re-handshake on an existing channel). The combination of the hash and encryption algorithms used for a SSL connection is called a cipher suite. NSS ships with a set of cipher suites that it supports at a technical level. In addition, NSS ships with a default policy that defines which cipher suites are enabled by default. An application is able to modify the policy used at program runtime, by using function calls to modify the set of enabled cipher suites. If a programmer wants to influence how NSS verifies certificates or how NSS verifies the data presented in a SSL connection handshake, it is possible to register application-defined callback functions which will be called by NSS at the appropriate point of time, and which can be used to override the decisions made by NSS. If you would like to use NSS as a toolkit that implements SSL, remember that you must init NSS first. But if you don’t care about modifying the default trust permanently (recorded on disk), you can use the no-database init calls. When creating the network socket for data exchange, note that you must use the operating system independent APIs provided by NSPR and NSS. It might be interesting to mention a property of the NSPR file descriptors, which are stacked in layers. This means you can define multiple layers that are involved in data processing. A file descriptor has a pointer to the first layer handling the data. That layer has a pointer to a potential second layer, which might have another pointer to a third layer, etc. Each layer defines its own functions for the ope n/close/read/write/poll/select (etc.) functions. When using an SSL network connection, you’ll already have two layers, the basic NSPR layer and an SSL library layer. The Mozilla applications define a third layer where application specific processing is performed. You can find more details in the NSPR reference documents. NSS occassionally has to create outbound network connections, in addition to the connections requested by the application. Examples are retrieving OCSP (Online Certificate Status Protocol) information or downloading a CRL (Certificate Revocation List). However, NSS doesn’t have an implementation to work with network proxies. If you must support proxies in your application, you are able to register your own implementation of an http request callback interface, and NSS can use your application code that supports proxies. When using hashing, encryption, and decryption functions, it is possible to stream data (as opposed to operating on a large buffer). Create a context handle while providing all the parameters required for the operation, then call an “update” function multiple times to pass subsets of the input to NSS. The data will be processed and either returned directly or sent to a callback function registered in the context. When done, you call a finalization function that will flush out any pending data and free the resources. This line is a placeholder for future sections that should explain how libpkix works and is designed. If you want to work with NSS, it’s often helpful to use the command line utilities that are provided by the NSS developers. There are tools for managing NSS databases, for dumping or verifying certificates, for registering PKCS#11 modules with a database, for processing CMS encrypted/signed messages, etc. For example, if you wanted to create your own pair of keys and request a new certificate from a CA, you could use certutil to create an empty database, then use certutil to operate on your database and create a certificate request (which involves creating the desired key pair) and export it to a file, submit the request file to the CA, receive the file from the CA, and import the certificate into your database. You should assign a good nickname to a certificate when importing it, making it easier for you to refer to it later. It should be noted that the first database format that can be accessed simultaneously by multiple applications is key4.db/cert9.db – database files with lower numbers will most likely experience unrecoverable corruption if you access them with multiple applications at the same time. In other words, if your browser or your server operates on an older NSS database format, don’t use the NSS tools to operate on it while the other software is executing. At the time of writing NSS and the Mozilla applications still use the older database file format by default, where each application has its own NSS database. If you require a copy of a certificate stored in an NSS database, including its private key, you can use pk12util to export it to the PKCS#12 file format. If you require it in PEM format, you could use the openssl pkcs12 command (that’s not NSS) to convert the PKCS#12 file to PEM. This line is a placeholder for how to prepare a database, how to dump a cert, and how to convert data. You might have been motivated to work with NSS because it is used by the Mozilla applications such as Firefox, Thunderbird, etc. If you build the Mozilla application, it will automatically build the NSS library, too. However, if you want to work with the NSS command line tools, you will have to follow the standalone NSS build instructions, and build NSS outside of the Mozilla application sources. The key database file will contain at least one symmetric key, which NSS will automatically create on demand, and which will be used to protect your secret (private) keys. The symmetric key can be protected with PBE by setting a master password on the database. As soon as you set a master password, an attacker stealing your key database will no longer be able to get access to your private key, unless the attacker would also succeed in stealing the master password. Now you might be interest in how to get the mozilla_projects_nss _nss_sources_building_testing

3

mozill a_projects_nss_blank_function

NSS

One-line description of what the function does (more than just what it returns).

4

:ref:` mozilla_projects_nss_building`

Guide, NSS, Security

This page has detailed information on how to build NSS. Because NSS is a cross-platform library that builds on many different platforms and has many options, it may be complex to build. Please read these instructions carefully before attempting to build.

5

mozilla_projec ts_nss_cert_findcertbydercert

NSS

Find a certificate in the database that matches a DER-encoded certificate.

6

mozilla_projects_n ss_cert_findcertbyissuerandsn

NSS

Find a certificate in the database with the given issuer and serial number.

7

:r ef:mozilla_projects_nss_certi ficate_download_specification

NSS

This document describes the data formats used by NSS 3.x for installing certificates. This document is currently being revised and has not yet been reviewed for accuracy.

8

mozilla_proje cts_nss_certificate_functions

NSS

The public functions listed here are used to interact with certificate databases.

9

mozill a_projects_nss_certverify_log

NSS

All the NSS verify functions except, the *VerifyNow() functions, take a parameter called ‘CERTVerifyLog’. If you supply the log parameter, NSS will continue chain validation after each error . The log tells you what the problem was with the chain and what certificate in the chain failed.

10

mozil la_projects_nss_code_coverage

NSS

No summary!

11

mozilla_projec ts_nss_cryptography_functions

NSS

The public functions listed here perform cryptographic operations based on the PKCS #11 interface.

12

mozilla_projects _nss_deprecated_ssl_functions

NSS

The following SSL functions have been replaced with newer versions. The deprecated functions are not supported by the new SSL shared libraries. Applications that want to use the SSL shared libraries must convert to calling the new replacement functions listed below.

13

mozil la_projects_nss_encrypt_decryp t_mac_keys_as_session_objects

Decrypt, Encryption, Example, NSS, Sample code

Generates encryption/mac keys and uses session objects.

14

mozilla_projects_nss_en crypt_decrypt_mac_using_token

Example, Intermediate, Mozilla, NSS

Generates encryption/mac keys and uses token for storing.

15

: ref:mozilla_projects_nss_faq

NSS, NeedsUpdate

NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications. It provides a complete open-source implementation of the crypto libraries used by Mozilla and other companies in the Firefox browser, AOL Instant Messenger (AIM), server products from Red Hat, and other products.

16

mozilla_projects_n ss_fips_mode_-_an_explanation

NSS

NSS has a “FIPS Mode” that can be enabled when NSS is compiled in a specific way. (Note: Mozilla does not distribute a “FIPS Mode”-ready NSS with Firefox.) This page attempts to provide an informal explanation of what it is, who would use it, and why.

17

mozilla_projects _nss_getting_started_with_nss

Samples WIP

Network Security Services (NSS) is a base library for cryptographic algorithms and secure network protocols used by Mozilla software. Would you like to get involved and help us to improve the core security of Mozilla Firefox and other applications that make use of NSS? We are looking forward to your contributions! We have a large list of tasks waiting for attention, and we are happy to assist you in identifying areas that match your interest or skills. You can find us on Mozilla IRC in channel `#nss < irc://irc.mozilla.org/#nss>`__ or you could ask your questions on the mozilla.dev.tech.cry pto newsgroup.

18

mozilla_proje cts_nss_http_delegation_clone

Advanced, Guide, NSS

Up to version 3.11, Network Security Services (NSS) connects directly over HTTP to an OCSP responder to make the request and fetch the response. It does so in a blocking fashion, and also directly to the responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail if the network environment requires the use of a proxy.

19

mozilla _projects_nss_http_delegation

Advanced, Guide, NSS

Up to version 3.11, Network Security Services (NSS) connects directly over HTTP to an OCSP responder to make the request and fetch the response. It does so in a blocking fashion, and also directly to the responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail if the network environment requires the use of a proxy.

20

moz illa_projects_nss_introduction _to_network_security_services

Introduction, Mozilla, NSS

Network Security Services (NSS) is a set of libraries designed to support cross-platform development of communications applications that support SSL, S/MIME, and other Internet security standards. For a general overview of NSS and the standards it supports, see m ozilla_projects_nss_overview.

21

mozilla_project s_nss_jss_4_4_0_release_notes

D

The Java Security Services (JSS) team has released JSS 4.4.0, which is a minor release.

22

: ref:mozilla_projects_nss_jss

Guide, JSS, NSS, NeedsMigration

The JSS project has been relocated!

23

mozilla_proj ects_nss_jss_4_3_releasenotes

JSS, NSS

Network Security Services for Java (JSS) 4.3 is a minor release with the following new features:

24

mozilla_project s_nss_jss_4_3_1_release_notes

JSS, NSPR, NSS

Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new features:

25

:ref :mozilla_projects_nss_jss_bui ld_instructions_for_jss_4_3_x

JSS

Newsgroup: mozilla.dev.tech .crypto

26

:ref :mozilla_projects_nss_jss_bui ld_instructions_for_jss_4_4_x

JSS

Newsgroup: mozilla.dev.tech .crypto

27

moz illa_projects_nss_jss_jss_faq

JSS

Newsgroup: mozilla.dev.tech.cry pto

28

mozilla_projec ts_nss_jss_jss_provider_notes

Crypto, JSS, Security

This page has been moved to http://www.do gtagpki.org/wiki/JSS_Provider.

29

:r ef:mozilla_projects_nss_jss_m ozilla-jss_jca_provider_notes

Newsgroup:*mozilla.dev.tech .crypto

30

mozil la_projects_nss_jss_using_jss

JSS

News group:mozilla.dev.tech.cry pto

31

mozill a_projects_nss_key_log_format

Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find the key file via Edit→Preferences→Pro tocols→TLS→(Pre)-Master-Secret log filename.

32

mozilla_p rojects_nss_memory_allocation

NSS

NSS makes extensive use of NSPR’s PLArenaPools for memory allocation.

33

mozilla_pr ojects_nss_modutil-tasks_html

No summary!

34

mozilla _projects_nss_new_nss_samples

Example

This collection of sample code demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. It also demonstrates some best practices in the application of cryptography.

35

moz illa_projects_nss_notes_on_tls _-_ssl_3_0_intolerant_servers

Gecko, NSS, Security

A number of Netscape 6.x/7.x and Mozilla users have reported that some secure sites – typically sites featuring online transactions or online banking over the HTTPS protocol – do not display any content at all. The connection seems terminated and a blank page is displayed. This is the main symptom of the problem when Mozilla based browsers encounter TLS/SSL 3.0 intolerant servers.

36

mozilla_projects_nss_n ss_3_11_10_release_notes_html

Newsgroup: <ahref=”news: mozilla.dev.tech.crypto”=”” news.mozilla.org=””>mozilla. dev.tech.crypto</ahref=”news:>

37

mozilla_projects_ns s_nss_3_12_release_notes_html

Newsgroup: mozilla.dev.tech .crypto

38

mozilla_projects_nss_ nss_3_12_1_release_notes_html

Newsgroup: mozilla.dev.tech .crypto

39

mozilla_projects_nss_ nss_3_12_2_release_notes_html

Newsgroup: mozilla.dev.tech .crypto

40

mozilla_projects _nss_nss_3_12_3_release_notes

Newsgroup: mozilla.dev.tech .crypto

41

mozilla_projects _nss_nss_3_12_4_release_notes

Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.4 are described in the “Bugs Fixed” section below.

42

mozilla_projects _nss_nss_3_12_5_release_notes

Network Security Services (NSS) 3.12.5 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.5 are described in the “Bugs Fixed” section below.

43

mozilla_projects _nss_nss_3_12_6_release_notes

Network Security Services (NSS) 3.12.6 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.6 are described in the “Bugs Fixed” section below.

44

mozilla_projects _nss_nss_3_12_9_release_notes

NSS

Network Security Services (NSS) 3.12.9 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.9 are described in the “Bugs Fixed” section below.

45

mozilla_projec ts_nss_nss_3_14_release_notes

The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features:

46

mozilla_projects _nss_nss_3_14_1_release_notes

Network Security Services (NSS) 3.14.1 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.1 are described in the “Bugs Fixed” section below.

47

mozilla_projects _nss_nss_3_14_2_release_notes

Network Security Services (NSS) 3.14.2 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.2 are described in the “Bugs Fixed” section below. NSS 3.14.2 should be used with NSPR 4.9.5 or newer.

48

mozilla_projects _nss_nss_3_14_3_release_notes

Network Security Services (NSS) 3.14.3 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.3 are described in the “Bugs Fixed” section below.

49

mozilla_projects _nss_nss_3_14_4_release_notes

Network Security Services (NSS) 3.14.4 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.4 are described in the “Bugs Fixed” section below.

50

mozilla_projects _nss_nss_3_14_5_release_notes

Network Security Services (NSS) 3.14.5 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.5 are described in the “Bugs Fixed” section below.

51

mozilla_projec ts_nss_nss_3_15_release_notes

The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.

52

mozilla_projects _nss_nss_3_15_1_release_notes

Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the “Bugs Fixed” section below.

53

mozilla_projects _nss_nss_3_15_2_release_notes

Network Security Services (NSS) 3.15.2 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.2 are described in the “Bugs Fixed” section below.

54

mozilla_projects _nss_nss_3_15_3_release_notes

Network Security Services (NSS) 3.15.3 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.3 are described in the “Bugs Fixed” section below.

55

mozilla_projects_n ss_nss_3_15_3_1_release_notes

Network Security Services (NSS) 3.15.3.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.3.1 are described in the “Bugs Fixed” section below.

56

mozilla_projects _nss_nss_3_15_4_release_notes

Network Security Services (NSS) 3.15.4 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.4 are described in the “Bugs Fixed” section below.

57

mozilla_projects _nss_nss_3_15_5_release_notes

Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.5 are described in the “Bugs Fixed” section below.

58

mozilla_projec ts_nss_nss_3_16_release_notes

The NSS team has released Network Security Services (NSS) 3.16, which is a minor release.

59

mozilla_projects _nss_nss_3_16_1_release_notes

Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.1 are described in the “Bugs Fixed” section below.

60

mozilla_projects _nss_nss_3_16_2_release_notes

Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2 are described in the “Bugs Fixed” section below.

61

mozilla_projects_n ss_nss_3_16_2_1_release_notes

Reference, Security

Network Security Services (NSS) 3.16.2.1 is a patch release for NSS 3.16, based on the NSS 3.16.2 release. The bug fixes in NSS 3.16.2.1 are described in the “Bugs Fixed” section below.

62

mozilla_projects_n ss_nss_3_16_2_2_release_notes

Reference, Security

Network Security Services (NSS) 3.16.2.2 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2.2 are described in the “Bugs Fixed” section below.

63

mozilla_projects_n ss_nss_3_16_2_3_release_notes

Reference, Security

Network Security Services (NSS) 3.16.2.3 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2.3 are described in the “Bugs Fixed” section below.

64

mozilla_projects _nss_nss_3_16_3_release_notes

Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.3 are described in the “Bugs Fixed” section below.

65

mozilla_projects _nss_nss_3_16_4_release_notes

Network Security Services (NSS) 3.16.4 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.4 are described in the “Bugs Fixed” section below.

66

mozilla_projects _nss_nss_3_16_5_release_notes

Reference, Security

Network Security Services (NSS) 3.16.5 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.5 are described in the “Bugs Fixed” section below.

67

mozilla_projects _nss_nss_3_16_6_release_notes

Reference, Security

Network Security Services (NSS) 3.16.6 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.6 are described in the “Bugs Fixed” section below.

68

mozilla_projec ts_nss_nss_3_17_release_notes

The NSS team has released Network Security Services (NSS) 3.17, which is a minor release.

69

mozilla_projects _nss_nss_3_17_1_release_notes

Reference, Security

Network Security Services (NSS) 3.17.1 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.1 are described in the “Bugs Fixed” section below.

70

mozilla_projects _nss_nss_3_17_2_release_notes

Network Security Services (NSS) 3.17.2 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.2 are described in the “Bugs Fixed” section below.

71

mozilla_projects _nss_nss_3_17_3_release_notes

Guide, NSS, Security

Network Security Services (NSS) 3.17.3 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.3 are described in the “Bugs Fixed” section below.

72

mozilla_projects _nss_nss_3_17_4_release_notes

Guide, NSS, Security

Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.4 are described in the “Bugs Fixed” section below.

73

mozilla_projec ts_nss_nss_3_18_release_notes

Guide, NSS, NeedsContent, Security

The NSS team has released Network Security Services (NSS) 3.18, which is a minor release.

74

mozilla_projects _nss_nss_3_18_1_release_notes

Networking, Security

Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18. The bug fixes in NSS 3.18.1 are described in the “Bugs Fixed” section below.

75

mozilla_projec ts_nss_nss_3_19_release_notes

The NSS team has released Network Security Services (NSS) 3.19, which is a minor security release.

76

mozilla_projects _nss_nss_3_19_1_release_notes

Network Security Services (NSS) 3.19.1 is a security release for NSS 3.19. The bug fixes in NSS 3.19.1 are described in the “Bugs Fixed” section below.

77

mozilla_projects _nss_nss_3_19_2_release_notes

Network Security Services (NSS) 3.19.2 is a patch release for NSS 3.19 that addresses compatibility issues in NSS 3.19.1.

78

mozilla_projects_n ss_nss_3_19_2_1_release_notes

Network Security Services (NSS) 3.19.2.1 is a patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.1 are described in the “Security Advisories” section below.

79

mozilla_projects_n ss_nss_3_19_2_2_release_notes

Network Security Services (NSS) 3.19.2.2 is a security patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.2 are described in the “Security Fixes” section below.

80

mozilla_projects_n ss_nss_3_19_2_3_release_notes

Network Security Services (NSS) 3.19.2.3 is a security patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.3 are described in the “Security Fixes” section below.

81

mozilla_projects_n ss_nss_3_19_2_4_release_notes

NSS

Network Security Services (NSS) 3.19.2.4 is a security patch release for NSS 3.19.2. The bug fixed in NSS 3.19.2.4 have been described in the “Security Fixes” section below.

82

mozilla_projects _nss_nss_3_19_3_release_notes

Network Security Services (NSS) 3.19.3 is a patch release for NSS 3.19. The bug fixes in NSS 3.19.3 are described in the “Bugs Fixed” section below.

83

mozilla_projects _nss_nss_3_19_4_release_notes

Network Security Services (NSS) 3.19.4 is a patch release for NSS 3.19. The bug fixes in NSS 3.19.4 are described in the “Security Advisories” section below.

84

mozilla_projec ts_nss_nss_3_20_release_notes

The NSS team has released Network Security Services (NSS) 3.20, which is a minor release.

85

mozilla_projects _nss_nss_3_20_1_release_notes

Network Security Services (NSS) 3.20.1 is a patch release for NSS 3.20. The bug fixes in NSS 3.20.1 are described in the “Security Advisories” section below.

86

mozilla_projects _nss_nss_3_20_2_release_notes

Network Security Services (NSS) 3.20.2 is a security patch release for NSS 3.20. The bug fixes in NSS 3.20.2 are described in the “Security Fixes” section below.

87

mozilla_projec ts_nss_nss_3_21_release_notes

2016-01-07, this page has been updated to include additional information about the release. The sections “Security Fixes” and “Acknowledgements” have been added.

88

mozilla_projects _nss_nss_3_21_1_release_notes

Network Security Services (NSS) 3.21.1 is a security patch release for NSS 3.21. The bug fixes in NSS 3.21.1 are described in the “Security Fixes” section below.

89

mozilla_projects _nss_nss_3_21_2_release_notes

Network Security Services (NSS) 3.21.2 is a security patch release for NSS 3.21.1. The bug fixes in NSS 3.21.2 are described in the “Security Fixes” section below.

90

mozilla_projects _nss_nss_3_21_3_release_notes

Network Security Services (NSS) 3.21.3 is a security patch release for NSS 3.21.2. The bug fixes in NSS 3.21.3 are described in the “Security Fixes” section below.

91

mozilla_projects _nss_nss_3_21_4_release_notes

Network Security Services (NSS) 3.21.4 is a security patch release for NSS 3.21. The bug fixes in NSS 3.21.4 are described in the “Bugs Fixed” section below.

92

mozilla_projec ts_nss_nss_3_22_release_notes

The NSS team has released Network Security Services (NSS) 3.22, which is a minor release.

93

mozilla_projects _nss_nss_3_22_1_release_notes

Network Security Services (NSS) 3.22.1 is a patch release for NSS 3.22. The bug fixes in NSS 3.22.1 are described in the “Notable Changes” section below.

94

mozilla_projects _nss_nss_3_22_2_release_notes

Network Security Services (NSS) 3.22.2 is a security patch release for NSS 3.22. The bug fixes in NSS 3.22.2 are described in the “Security Fixes” section below.

95

mozilla_projects _nss_nss_3_22_3_release_notes

Network Security Services (NSS) 3.22.3 is a patch release for NSS 3.22. The bug fixes in NSS 3.22.3 are described in the “Bugs fixed” section below.

96

mozilla_projec ts_nss_nss_3_23_release_notes

Networking, Security

The NSS team has released Network Security Services (NSS) 3.23, which is a minor release.

97

mozilla_projec ts_nss_nss_3_24_release_notes

NSS, Release Notes

The Network Security Services (NSS) team has released NSS 3.24, which is a minor release.

98

mozilla_projec ts_nss_nss_3_25_release_notes

NSS, Release Notes

The Network Security Services (NSS) team has released NSS 3.25, which is a minor release.

99

mozilla_projects _nss_nss_3_25_1_release_notes

Network Security Services (NSS) 3.25.1 is a patch release for NSS 3.25.

100

mozilla_projec ts_nss_nss_3_26_release_notes

NSS, Release Notes

The Network Security Services (NSS) team has released NSS 3.26, which is a minor release.

101

mozilla_projects _nss_nss_3_26_2_release_notes

Network Security Services (NSS) 3.26.2 is a patch release for NSS 3.26.

102

mozilla_projec ts_nss_nss_3_27_release_notes

The Network Security Services (NSS) team has released NSS 3.27, which is a minor release.

103

mozilla_projects _nss_nss_3_27_1_release_notes

Network Security Services (NSS) 3.27.1 is a patch release for NSS 3.27.

104

mozilla_projects _nss_nss_3_27_2_release_notes

Network Security Services (NSS) 3.27.2 is a patch release for NSS 3.27.

105

mozilla_projec ts_nss_nss_3_28_release_notes

The Network Security Services (NSS) team has released NSS 3.28, which is a minor release.

106

mozilla_projects _nss_nss_3_28_1_release_notes

Network Security Services (NSS) 3.28.1 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.1 are described in the “Bugs Fixed” section below.

107

mozilla_projects _nss_nss_3_28_2_release_notes

Network Security Services (NSS) 3.28.2 is a patch release for NSS 3.28.

108

mozilla_projects _nss_nss_3_28_3_release_notes

Network Security Services (NSS) 3.28.3 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.3 are described in the “Bugs Fixed” section below.

109

mozilla_projects _nss_nss_3_28_4_release_notes

Network Security Services (NSS) 3.28.4 is a security patch release for NSS 3.28. The bug fixes in NSS 3.28.4 are described in the “Bugs Fixed” section below.

110

mozilla_projects _nss_nss_3_28_5_release_notes

Network Security Services (NSS) 3.28.5 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.5 are described in the “Bugs Fixed” section below.

111

mozilla_projec ts_nss_nss_3_29_release_notes

The Network Security Services (NSS) team has released NSS 3.29, which is a minor release.

112

mozilla_projects _nss_nss_3_29_1_release_notes

Network Security Services (NSS) 3.29.1 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.1 are described in the “Bugs Fixed” section below.

113

mozilla_projects _nss_nss_3_29_2_release_notes

Network Security Services (NSS) 3.29.2 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.2 are described in the “Bugs Fixed” section below.

114

mozilla_projects _nss_nss_3_29_3_release_notes

Network Security Services (NSS) 3.29.3 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.3 are described in the “Bugs Fixed” section below.

115

mozilla_projects _nss_nss_3_29_5_release_notes

Network Security Services (NSS) 3.29.5 is a security patch release for NSS 3.29. The bug fixes in NSS 3.29.5 are described in the “Bugs Fixed” section below.

116

mozilla_projec ts_nss_nss_3_30_release_notes

The Network Security Services (NSS) team has released NSS 3.30, which is a minor release.

117

mozilla_projects _nss_nss_3_30_1_release_notes

Network Security Services (NSS) 3.30.1 is a security patch release for NSS 3.30. The bug fixes in NSS 3.30.1 are described in the “Bugs Fixed” section below.

118

mozilla_projects _nss_nss_3_30_2_release_notes

Network Security Services (NSS) 3.30.2 is a patch release for NSS 3.30. The bug fixes in NSS 3.30.2 are described in the “Bugs Fixed” section below.

119

mozilla_projec ts_nss_nss_3_31_release_notes

The Network Security Services (NSS) team has released NSS 3.31, which is a minor release.

120

mozilla_projects _nss_nss_3_31_1_release_notes

The Network Security Services (NSS) team has released NSS 3.31.1, which is a patch release for NSS 3.31.

121

mozilla_projec ts_nss_nss_3_32_release_notes

The Network Security Services (NSS) team has released NSS 3.32, which is a minor release.

122

mozilla_projec ts_nss_nss_3_33_release_notes

The Network Security Services (NSS) team has released NSS 3.33, which is a minor release.

123

mozilla_projec ts_nss_nss_3_34_release_notes

The Network Security Services (NSS) team has released NSS 3.34, which is a minor release.

124

mozilla_projects _nss_nss_3_34_1_release_notes

The Network Security Services (NSS) team has released NSS 3.34.1, which is a minor release.

125

mozilla_projec ts_nss_nss_3_35_release_notes

The NSS team has released Network Security Services (NSS) 3.35, which is a minor release.

126

mozilla_projec ts_nss_nss_3_36_release_notes

The NSS team has released Network Security Services (NSS) 3.36, which is a minor release.

127

mozilla_projects _nss_nss_3_36_1_release_notes

Network Security Services (NSS) 3.36.1 is a patch release for NSS 3.36.

128

mozilla_projects _nss_nss_3_36_2_release_notes

NSS, Release Notes

Network Security Services (NSS) 3.36.2 is a patch release for NSS 3.36.

129

mozilla_projects _nss_nss_3_36_4_release_notes

NSS, Release Notes

Network Security Services (NSS) 3.36.4 is a patch release for NSS 3.36.

130

mozilla_projects _nss_nss_3_36_5_release_notes

Mozilla, NSS, Release Notes

Network Security Services (NSS) 3.36.5 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.5 are described in the “Bugs Fixed” section below.

131

mozilla_projects _nss_nss_3_36_6_release_notes

Mozilla, NSS, Release Notes

Network Security Services (NSS) 3.36.6 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.6 are described in the “Bugs Fixed” section below.

132

mozilla_projects _nss_nss_3_36_7_release_notes

Network Security Services (NSS) 3.36.7 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.7 are described in the “Bugs Fixed” section below. It was released on 19 January 2019.

133

mozilla_projects _nss_nss_3_36_8_release_notes

Network Security Services (NSS) 3.36.8 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.8 are described in the “Bugs Fixed” section below. It was released on 21 June 2019.

134

mozilla_projec ts_nss_nss_3_37_release_notes

The NSS team has released Network Security Services (NSS) 3.37, which is a minor release.

135

mozilla_projects _nss_nss_3_37_1_release_notes

Network Security Services (NSS) 3.37.1 is a patch release for NSS 3.37.

136

mozilla_project s_nss_nss_3_37_3release_notes

Network Security Services (NSS) 3.37.3 is a patch release for NSS 3.37.

137

mozilla_projec ts_nss_nss_3_38_release_notes

Mozilla, NSS, Release Notes

The NSS team has released Network Security Services (NSS) 3.38, which is a minor release.

138

mozilla_projec ts_nss_nss_3_39_release_notes

The NSS team has released Network Security Services (NSS) 3.39, which is a minor release.

139

mozilla_projec ts_nss_nss_3_40_release_notes

The NSS team has released Network Security Services (NSS) 3.40, which is a minor release.

140

mozilla_projects _nss_nss_3_40_1_release_notes

The NSS team has released Network Security Services (NSS) 3.40.1, which is a patch release for NSS 3.40

141

mozilla_projec ts_nss_nss_3_41_release_notes

The NSS team has released Network Security Services (NSS) 3.41 on 7 December 2018, which is a minor release.

142

mozilla_projects _nss_nss_3_41_1_release_notes

Network Security Services (NSS) 3.41.1 is a patch release for NSS 3.41. The bug fixes in NSS 3.41.1 are described in the “Bugs Fixed” section below. It was released on 22 January 2019.

143

mozilla_projec ts_nss_nss_3_42_release_notes

The NSS team has released Network Security Services (NSS) 3.42 on 25 January 2019, which is a minor release.

144

mozilla_projects _nss_nss_3_42_1_release_notes

The NSS team has released Network Security Services (NSS) 3.42.1 on 31 January 2019, which is a patch release.

145

mozilla_projec ts_nss_nss_3_43_release_notes

The NSS team has released Network Security Services (NSS) 3.43 on 16 March 2019, which is a minor release.

146

mozilla_projec ts_nss_nss_3_44_release_notes

The NSS team has released Network Security Services (NSS) 3.44 on 10 May 2019, which is a minor release.

147

mozilla_projects _nss_nss_3_44_1_release_notes

Network Security Services (NSS) 3.44.1 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.1 are described in the “Bugs Fixed” section below. It was released on 21 June 2019.

148

mozilla_projects _nss_nss_3_44_2_release_notes

Network Security Services (NSS) 3.44.2 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.2 are described in the “Bugs Fixed” section below. It was released on 2 October 2019.

149

mozilla_projects _nss_nss_3_44_3_release_notes

Network Security Services (NSS) 3.44.3 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.3 are described in the “Bugs Fixed” section below. It was released on 19 November 2019.

150

mozilla_projects _nss_nss_3_44_4_release_notes

The NSS team has released Network Security Services (NSS) 3.44.4 on 19 May 2020. This is  a security patch release.

151

mozilla_projec ts_nss_nss_3_45_release_notes

The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, which is a minor release.

152

mozilla_projec ts_nss_nss_3_46_release_notes

The NSS team has released Network Security Services (NSS) 3.46 on 30 August 2019, which is a minor release.

153

mozilla_projects _nss_nss_3_46_1_release_notes

Network Security Services (NSS) 3.46.1 is a patch release for NSS 3.46. The bug fixes in NSS 3.46.1 are described in the “Bugs Fixed” section below. It was released on 2 October 2019.

154

mozilla_projec ts_nss_nss_3_47_release_notes

The NSS team has released Network Security Services (NSS) 3.47 on 18 October 2019, which is a minor release.

155

mozilla_projects _nss_nss_3_47_1_release_notes

Network Security Services (NSS) 3.47.1 is a patch release for NSS 3.47. The bug fixes in NSS 3.47.1 are described in the “Bugs Fixed” section below. It was released on 19 November 2019.

156

mozilla_projec ts_nss_nss_3_48_release_notes

The NSS team has released Network Security Services (NSS) 3.48 on 5 December 2019, which is a minor release.

157

mozilla_projects _nss_nss_3_48_1_release_notes

Network Security Services (NSS) 3.48.1 is a patch release for NSS 3.48. The bug fixes in NSS 3.48.1 are described in the “Bugs Fixed” section below. It was released on 13 January 2020.

158

mozilla_projec ts_nss_nss_3_49_release_notes

The NSS team has released Network Security Services (NSS) 3.49 on 3 January 2020, which is a minor release.

159

mozilla_projects _nss_nss_3_49_1_release_notes

Network Security Services (NSS) 3.49.1 is a patch release for NSS 3.49. The bug fixes in NSS 3.49.1 are described in the “Bugs Fixed” section below. It was released on 13 January 2020.

160

mozilla_projects _nss_nss_3_49_2_release_notes

Network Security Services (NSS) 3.49.2 is a patch release for NSS 3.49. The bug fixes in NSS 3.49.2 are described in the “Bugs Fixed” section below. It was released on 23 January 2020.

161

mozilla_projec ts_nss_nss_3_50_release_notes

The NSS team has released Network Security Services (NSS) 3.50 on 7 February 2020, which is a minor release.

162

mozilla_projec ts_nss_nss_3_51_release_notes

The NSS team has released Network Security Services (NSS) 3.51 on 6 March 2020, which is a minor release.

163

mozilla_projects _nss_nss_3_51_1_release_notes

The NSS team has released Network Security Services (NSS) 3.51.1 on 3 April 2020. This is  a minor release focusing on functional bug fixes and low-risk patches only.

164

mozilla_projec ts_nss_nss_3_52_release_notes

The NSS team has released Network Security Services (NSS) 3.52 on 1 May 2020.

165

mozilla_projects _nss_nss_3_52_1_release_notes

The NSS team has released Network Security Services (NSS) 3.52.1 on 19 May 2020. This is  a security patch release.

166

mozilla_projec ts_nss_nss_3_53_release_notes

The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR.

167

mozilla_projects _nss_nss_3_53_1_release_notes

The NSS team has released Network Security Services (NSS) 3.53.1 on 16 June 2020. This is a security patch release.

168

mozilla_projec ts_nss_nss_3_54_release_notes

The NSS team has released Network Security Services (NSS) 3.54 on 26 June 2020, which is a minor release.

169

mozilla_projec ts_nss_nss_3_55_release_notes

The NSS team has released Network Security Services (NSS) 3.55 on 24 July 2020, which is a minor release.

170

mozilla_projec ts_nss_nss_3_56_release_notes

The NSS team has released Network Security Services (NSS) 3.56 on 21 August 2020, which is a minor release.

171

mozilla_projec ts_nss_nss_3_57_release_notes

The NSS team has released Network Security Services (NSS) 3.57 on 18 September 2020, which is a minor release.

172

mozilla_projec ts_nss_nss_3_58_release_notes

The NSS team has released Network Security Services (NSS) 3.58 on 16 October 2020, which is a minor release.

173

mozilla_projec ts_nss_nss_3_59_release_notes

The NSS team has released Network Security Services (NSS) 3.59 on 13 November 2020, which is a minor release.

174

mozilla_projects _nss_nss_3_59_1_release_notes

The NSS team has released Network Security Services (NSS) 3.59.1 on 18 December 2020, which is a patch release for NSS 3.59.

175

mozilla_projec ts_nss_nss_3_60_release_notes

The NSS team has released Network Security Services (NSS) 3.60 on 11 December 2020, which is a minor release.

176

mozilla_projects _nss_nss_3_60_1_release_notes

The NSS team released Network Security Services (NSS) 3.60.1 on 4 January 2021, which is a patch release for NSS 3.60.

177

mozilla_projec ts_nss_nss_3_61_release_notes

The NSS team released Network Security Services (NSS) 3.61 on 22 January 2021, which is a minor release.

178

mozilla_projec ts_nss_nss_3_62_release_notes

The NSS team released Network Security Services (NSS) 3.62 on 19 February 2021, which is a minor release.

179

mozilla_projec ts_nss_nss_3_63_release_notes

Network Security Services (NSS) 3.63 was released on 18 March 2021.

180

mozilla_projects _nss_nss_3_63_1_release_notes

Network Security Services (NSS) 3.63.1 was released on 6 April 2021.

181

mozilla_projec ts_nss_nss_3_64_release_notes

Network Security Services (NSS) 3.64 was released on 15 April 2021.

182

mozilla_pr ojects_nss_nss_api_guidelines

Newsgroup: mozilla.dev.tech .crypto

183

mozilla_pr ojects_nss_nss_config_options

The specified ciphers will be allowed by policy, but an application may allow more by policy explicitly:

184

mozilla_projec ts_nss_nss_developer_tutorial

NSS, Tutorial

Line length should not exceed 80 characters.

185

mozilla_projects_n ss_nss_release_notes_template

The NSS team has released Network Security Services (NSS) 3.XX, which is a minor release. or Network Security Services (NSS) 3.XX.y is a patch release for NSS 3.XX. The bug fixes in NSS 3.XX.y are described in the “Bugs Fixed” section below.

186

mozi lla_projects_nss_nss_releases

Landing, Mozilla, NSS, Networking, Project, Release Notes, Security

The current Stable release of NSS is 3.64, which was released on 15 April 2021. (mozilla_project s_nss_nss_3_64_release_notes)

187

mozilla _projects_nss_nss_sample_code

Example

The collection of sample code here demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. It also demonstrates some best practices in the application of cryptography.

188

mozilla_projec ts_nss_nss_sample_code_enc_dec _mac_output_plblic_key_as_csr

Generates encryption/mac keys and outputs public key as certificate signing request

189

mozilla_projects_nss_ns s_sample_code_enc_dec_mac_usin g_key_wrap_certreq_pkcs10_csr

Generates encryption/mac keys and outputs public key as pkcs11 certificate signing request

190

mozilla_p rojects_nss_nss_sample_code_en crypt_decrypt_mac_using_token

Generates encryption/mac keys and uses token for storing.

191

mozilla_pr ojects_nss_nss_sample_code_nss _sample_code_sample_1_hashing

Examples, NSS, Security

This is an example program that demonstrates how to compute the hash of a file and save it to another file.  This program illustrates the use of NSS message APIs.

192

mozilla_projects_nss_nss _sample_code_nss_sample_code_s ample_2_initialization_of_nss

Examples, NSS, Security

This example program demonstrates how to initialize the NSS Database.  This program illustrates password handling.

193

:ref :mozilla_projects_nss_nss_sam ple_code_nss_sample_code_sampl e_3_basic_encryption_and_maci

Examples, NSS, Security

This example program demonstrates how to encrypt and MAC a file.

194

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample1

This is an example program that demonstrates how to do key generation and transport between cooperating servers. This program shows the following:

195

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample2

No summary!

196

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample3

No summary!

197

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample4

No summary!

198

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample5

No summary!

199

m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample6

No summary!

200

mozil la_projects_nss_nss_sample_cod e_nss_sample_code_utililies_1

Examples, NSS, Security

This is a library of utilities used by many of the samples. This code shows the following:

201

: ref:mozilla_projects_nss_nss_ sample_code_sample1_-_hashing

HTML, Hashing Sample, JavaScript, NSS, Web Development, hashing

The NSS same code below computes the hash of a file and saves it to another file, this illustrates the use of NSS message APIs.

202

mozilla_project s_nss_nss_sample_code_sample1

Example, NSS

1. A program to compute the hash of a file and save it to another file.

203

mozilla_pro jects_nss_nss_sample_code_samp le2_-_initialize_nss_database

HTML, JavaScript, NSS, NSS Article, NSS Initialization, Web Development

The NSS sample code below demonstrates how to initialize the NSS database.

204

mozilla_project s_nss_nss_sample_code_sample2

No summary!

205

mozilla_projects _nss_nss_sample_code_sample3_- _encdecmac_using_token_object

EncDeCMac, HTML, NCC, NCC Article, Web, Web Development

Computes the hash of a file and saves it to another file, illustrates the use of NSS message APIs.

206

moz illa_projects_nss_nss_sample_c ode_utiltiies_for_nss_samples

These utility functions are adapted from those found in the sectool library used by the NSS security tools and other NSS test applications.

207

mozilla_projects_nss _nss_sources_building_testing

Build documentation, Guide, NSS, Security

Getting the source code of Network Security Services (NSS), how to build it, and how to run its test suite.

208

mozill a_projects_nss_nss_tech_notes

NSS

Newsgroup: mozilla.dev.tech .crypto

209

mozilla_projects_nss_ nss_tech_notes_nss_tech_note1

The main non-streaming APIs for these two decoders have an identical prototype :

210

mozilla_projects_nss_ nss_tech_notes_nss_tech_note2

The logger displays all activity between NSS and a specified PKCS #11 module. It works by inserting a special set of entry points between NSS and the module.

211

mozilla_projects_nss_ nss_tech_notes_nss_tech_note3

No summary!

212

mozilla_projects_nss_ nss_tech_notes_nss_tech_note4

No summary!

213

mozilla_projects_nss_ nss_tech_notes_nss_tech_note5

Note: AES encryption, a fixed blocksize of 16 bytes is used. The Rijndael algorithm permits 3 blocksizes (16, 24, 32 bytes), but the AES standard requires the blocksize to be 16 bytes. The keysize can vary and these keysizes are permitted: 16, 24, 32 bytes. You can also look at a sample program illustrating encryption

214

mozilla_projects_nss_ nss_tech_notes_nss_tech_note6

The following applies to NSS 3.8 through 3.10 :

215

mozilla_projects_nss_ nss_tech_notes_nss_tech_note7

This technical note explains how to use NSS to perform RSA signing and encryption. The industry standard for RSA signing and encryption is PKCS #1. NSS supports PKCS #1 v1.5. NSS doesn’t yet support PKCS #1 v2.0 and v2.1, in particular OAEP, but OAEP support is on our to-do li st. Your contribution is welcome.

216

mozilla_projects_nss_ nss_tech_notes_nss_tech_note8

No summary!

217

mozilla_proj ects_nss_nss_third-party_code

NSS, Security, Third-Party Code

This is a list of third-party code included in the NSS repository, broken into two lists: Code that can be compiled into the NSS libraries, and code that is only used for testing.

218

mozilla_proje cts_nss_nss_tools_sslstrength

2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic]

219

:ref:` mozilla_projects_nss_overview`

NSS

If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your security features. NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat, Google, and other companies in a variety of products, including the following:

220

mozilla_p rojects_nss_pkcs_12_functions

NSS

The public functions listed here perform PKCS #12 operations required by some of the NSS tools and other applications.

221

mozilla_ projects_nss_pkcs_7_functions

NSS

The public functions listed here perform PKCS #7 operations required by mail and news applications and by some of the NSS tools.

222

mozilla_ projects_nss_pkcs11_functions

NSS

This chapter describes the core PKCS #11 functions that an application needs for communicating with cryptographic modules. In particular, these functions are used for obtaining certificates, keys, and passwords. This was converted from “Chapter 7: PKCS #11 Functions”.

223

mozilla_ projects_nss_pkcs11_implement

NOTE: This document was originally for the Netscape Security Library that came with Netscape Communicator 4.0. This note will be removed once the document is updated for the current version of NSS.

224

:ref :mozilla_projects_nss_pkcs11

NSS, Security

PKCS #11 information for implementors of cryptographic modules:

225

mo zilla_projects_nss_pkcs11_faq

NSS, Security

NSS searches all the installed PKCS #11 modules when looking for certificates. Once you’ve installed the module, the module’s certificates simply appear in the list of certificates displayed in the Certificate window.

226

mozilla_projects_n ss_pkcs11_module_installation

Authentication, Biometric, Mozilla, NSS, PKCS #11, Projects, Security, Smart Card, Smart-card, Smartcard, pkcs11

PKCS #11 modules are external modules which add to Firefox support for smartcard readers, biometric security devices, and external certificate stores. This article covers the two methods for installing PKCS #11 modules into Firefox.

227

mozilla_pro jects_nss_pkcs11_module_specs

NSS

The following is a proposal to the PKCS #11 working group made in August 2001 for configuring PKCS #11 modules. NSS currently implements this proposal internally.

228

mozilla_projec ts_nss_python_binding_for_nss

python-nss is a Python binding for NSS (Network Security Services) and NSPR (Netscape Portable Runtime). NSS provides cryptography services supporting SSL, TLS, PKI, PKIX, X509, PKCS*, etc. NSS is an alternative to OpenSSL and used extensively by major software projects. NSS is FIPS-140 certified.

229

m ozilla_projects_nss_reference

NSS

Based on mozilla_projec ts_nss_ssl_functions_sslintro in the SSL Reference.

230

ref

mozilla_projects_nss_referenc e_building_and_installing_nss

NSS

This chapter describes how to build and install NSS.

231

mozilla_projects_n ss_reference_building_and_inst alling_nss_build_instructions

NSS

Numerous optional features of NSS builds are controlled through make variables.

232

mozilla_projects_n ss_reference_building_and_inst alling_nss_installation_guide

NSS

The build system of NSS originated from Netscape’s build system, which predated the “configure; make; make test; make install” sequence that we’re familiar with now. Our makefiles also have an “install” target, but it has a different meaning: our “install” means installing the headers, libraries, and programs in the appropriate directories under mozilla/dist.

233

mozilla_project s_nss_reference_building_and_i nstalling_nss_migration_to_hg

The NSPR, NSS and related projects have stopped using Mozilla’a CVS server, but have migrated to Mozilla’s HG (Mercurial) server. Each project now lives in its own separate space, they can be found at:    https:/ /hg.mozilla.org/projects/nspr/    https: //hg.mozilla.org/projects/nss/    https: //hg.mozilla.org/projects/jss/

https://hg.mo zilla.org/projects/python-nss/

234

:r ef:mozilla_projects_nss_refer ence_building_and_installing_n ss_sample_manual_installation

NSS

The NSS build system does not include a target to install header files and shared libraries in the system directories, so this needs to be done manually.

235

mozilla_projects_ns s_reference_fc_cancelfunction

NSS

FC_CancelFunction - cancel a function running in parallel

236

mozilla_projects_nss_ reference_fc_closeallsessions

NSS

FC_CloseAllSessions - close all sessions between an application and a token.

237

mozilla_projects_ nss_reference_fc_closesession

NSS

FC_CloseSession - close a session opened between an application and a token.

238

mozilla_project s_nss_reference_fc_copyobject

NSS

FC_CopyObject - create a copy of an object.

239

mozilla_projects_ nss_reference_fc_createobject

NSS

FC_CreateObject - create a new object.

240

mozilla_proj ects_nss_reference_fc_decrypt

NSS

FC_Decrypt - Decrypt a block of data.

241

mozilla_projects_nss_ref erence_fc_decryptdigestupdate

NSS

FC_DecryptDigestUpdate - continue a multi-part decrypt and digest operation

242

mozilla_projects_ nss_reference_fc_decryptfinal

NSS

FC_DecryptFinal - finish a multi-part decryption operation.

243

mozilla_projects _nss_reference_fc_decryptinit

NSS

FC_DecryptInit - initialize a decryption operation.

244

mozilla_projects_n ss_reference_fc_decryptupdate

NSS

FC_DecryptUpdate - decrypt a block of a multi-part encryption operation.

245

mozilla_projects_nss_ref erence_fc_decryptverifyupdate

NSS

FC_DecryptVerifyUpdate - continue a multi-part decrypt and verify operation

246

mozilla_projec ts_nss_reference_fc_derivekey

NSS

FC_DeriveKey - derive a key from a base key

247

mozilla_projects_n ss_reference_fc_destroyobject

NSS

FC_DestroyObject - destroy an object.

248

mozilla_pro jects_nss_reference_fc_digest

NSS

FC_Digest - digest a block of data.

249

mozilla_projects_nss_ref erence_fc_digestencryptupdate

NSS

FC_DigestEncryptUpdate - continue a multi-part digest and encryption operation

250

mozilla_projects _nss_reference_fc_digestfinal

NSS

FC_DigestFinal - finish a multi-part digest operation.

251

mozilla_project s_nss_reference_fc_digestinit

NSS

FC_DigestInit - initialize a message-digest operation.

252

mozilla_projec ts_nss_reference_fc_digestkey

NSS

FC_DigestKey - add the digest of a key to a multi-part digest operation.

253

mozilla_projects_ nss_reference_fc_digestupdate

NSS

FC_DigestUpdate - process the next block of a multi-part digest operation.

254

mozilla_proj ects_nss_reference_fc_encrypt

NSS

FC_Encrypt - Encrypt a block of data.

255

mozilla_projects_ nss_reference_fc_encryptfinal

NSS

FC_EncryptFinal - finish a multi-part encryption operation.

256

mozilla_projects _nss_reference_fc_encryptinit

NSS

FC_EncryptInit - initialize an encryption operation.

257

mozilla_projects_n ss_reference_fc_encryptupdate

NSS

FC_EncryptUpdate - encrypt a block of a multi-part encryption operation.

258

mozilla_proje cts_nss_reference_fc_finalize

NSS

FC_Finalize - indicate that an application is done with the PKCS #11 library.

259

mozilla_projects _nss_reference_fc_findobjects

NSS

FC_FindObjects - Search for one or more objects

260

mozilla_projects_nss_ reference_fc_findobjectsfinal

NSS

FC_FindObjectsFinal - terminate an object search.

261

mozilla_projects_nss _reference_fc_findobjectsinit

NSS

FC_FindObjectsInit - initialize the parameters for an object search.

262

mozilla_projects _nss_reference_fc_generatekey

NSS

FC_GenerateKey - generate a new key

263

mozilla_projects_nss _reference_fc_generatekeypair

NSS

FC_GenerateKeyPair - generate a new public/private key pair

264

mozilla_projects_ns s_reference_fc_generaterandom

NSS

FC_GenerateRandom - generate a random number.

265

mozilla_projects_nss_r eference_fc_getattributevalue

NSS

FC_GetAttributeValue - get the value of attributes of an object.

266

mozilla_projects_nss _reference_fc_getfunctionlist

NSS

FC_GetFunctionList - get a pointer to the list of function pointers in the FIPS mode of operation.

267

mozilla_projects_nss_r eference_fc_getfunctionstatus

NSS

FC_GetFunctionStatus - get the status of a function running in parallel

268

mozilla_proj ects_nss_reference_fc_getinfo

NSS

FC_GetInfo - return general information about the PKCS #11 library.

269

mozilla_projects_nss_ reference_fc_getmechanisminfo

NSS

FC_GetMechanismInfo - get information on a particular mechanism.

270

mozilla_projects_nss_ reference_fc_getmechanismlist

NSS

FC_GetMechanismList - get a list of mechanism types supported by a token.

271

mozilla_projects_n ss_reference_fc_getobjectsize

NSS

FC_GetObjectSize - create a copy of an object.

272

mozilla_projects_nss_r eference_fc_getoperationstate

NSS

FC_GetOperationState - get the cryptographic operation state of a session.

273

mozilla_projects_ns s_reference_fc_getsessioninfo

NSS

FC_GetSessionInfo - obtain information about a session.

274

mozilla_projects _nss_reference_fc_getslotinfo

NSS

FC_GetSlotInfo - get information about a particular slot in the system.

275

mozilla_projects _nss_reference_fc_getslotlist

NSS

FC_GetSlotList - Obtain a list of slots in the system.

276

mozilla_projects_ nss_reference_fc_gettokeninfo

NSS

FC_GetTokenInfo - obtain information about a particular token in the system.

277

mozilla_project s_nss_reference_fc_initialize

NSS

FC_Initialize - initialize the PKCS #11 library.

278

mozilla_proj ects_nss_reference_fc_initpin

NSS

FC_InitPIN() - Initialize the user’s PIN.

279

mozilla_projec ts_nss_reference_fc_inittoken

NSS

FC_InitToken() - initialize or re-initialize a token.

280

mozilla_pr ojects_nss_reference_fc_login

NSS

FC_Login() - log a user into a token.

281

mozilla_pro jects_nss_reference_fc_logout

NSS

FC_Logout - log a user out from a token.

282

mozilla_projects _nss_reference_fc_opensession

NSS

FC_OpenSession - open a session between an application and a token.

283

mozilla_project s_nss_reference_fc_seedrandom

NSS

FC_SeedRandom() - mix additional seed material into the random number generator.

284

mozilla_projects_nss_r eference_fc_setattributevalue

NSS

FC_SetAttributeValue - set the values of attributes of an object.

285

mozilla_projects_nss_r eference_fc_setoperationstate

NSS

FC_SetOperationState - restore the cryptographic operation state of a session.

286

mozilla_pro jects_nss_reference_fc_setpin

NSS

FC_SetPIN - Modify the user’s PIN.

287

mozilla_p rojects_nss_reference_fc_sign

NSS

FC_Sign - sign a block of data.

288

mozilla_projects_nss_r eference_fc_signencryptupdate

NSS

FC_SignEncryptUpdate - continue a multi-part signing and encryption operation

289

mozilla_projec ts_nss_reference_fc_signfinal

NSS

FC_SignFinal - finish a multi-part signing operation.

290

mozilla_proje cts_nss_reference_fc_signinit

NSS

FC_SignInit - initialize a signing operation.

291

mozilla_projects _nss_reference_fc_signrecover

NSS

FC_SignRecover - Sign data in a single recoverable operation.

292

mozilla_projects_nss _reference_fc_signrecoverinit

NSS

FC_SignRecoverInit - initialize a sign recover operation.

293

mozilla_project s_nss_reference_fc_signupdate

NSS

FC_SignUpdate - process the next block of a multi-part signing operation.

294

mozilla_projec ts_nss_reference_fc_unwrapkey

NSS

FC_UnwrapKey - unwrap a key

295

mozilla_pro jects_nss_reference_fc_verify

NSS

FC_Verify - sign a block of data.

296

mozilla_projects _nss_reference_fc_verifyfinal

NSS

FC_VerifyFinal - finish a multi-part verify operation.

297

mozilla_project s_nss_reference_fc_verifyinit

NSS

FC_VerifyInit - initialize a verification operation.

298

mozilla_projects_n ss_reference_fc_verifyrecover

NSS

FC_VerifyRecover - Verify data in a single recoverable operation.

299

mozilla_projects_nss_r eference_fc_verifyrecoverinit

NSS

FC_VerifyRecoverInit - initialize a verification operation where data is recoverable.

300

mozilla_projects_ nss_reference_fc_verifyupdate

NSS

FC_VerifyUpdate - process the next block of a multi-part verify operation.

301

mozilla_projects_nss_ reference_fc_waitforslotevent

NSS

FC_WaitForSlotEvent - waits for a slot event, such as token insertion or token removal, to occur.

302

mozilla_proj ects_nss_reference_fc_wrapkey

NSS

FC_WrapKey - wrap a key

303

mozilla_project s_nss_reference_nsc_inittoken

NSS

NSC_InitToken() - initialize or re-initialize a token.

304

mozilla_pro jects_nss_reference_nsc_login

NSS

NSC_Login() - log a user into a token.

305

mozilla_projects _nss_reference_nspr_functions

NSPR is a platform abstraction library that provides a cross-platform API to common OS services.  NSS uses NSPR internally as the porting layer.  However, a small number of NSPR functions are required for using the certificate verification and SSL functions in NSS.  These NSPR functions are listed in this section.

306

:re f:mozilla_projects_nss_refere nce_nss_certificate_functions

NSS

This chapter describes the functions and related types used to work with a certificate database such as the cert8.db database provided with NSS. This was converted from “Chapter 5: Certificate Functions”.

307

:r ef:mozilla_projects_nss_refer ence_nss_cryptographic_module

NSS

This chapter describes the data types and functions that one can use to perform cryptographic operations with the NSS cryptographic module. The NSS cryptographic module uses the industry standard PKCS #11 v2.20 as its API with some extensions. Therefore, an application that supports PKCS #11 cryptographic tokens can be easily modified to use the NSS cryptographic module.

308

mozilla_projects_ns s_reference_nss_cryptographic_ module_fips_mode_of_operation

NSS

These functions manage certificates and keys.

309

:re f:mozilla_projects_nss_refere nce_nss_environment_variables

NSS

These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below.

310

mozilla_project s_nss_reference_nss_functions

NSS

This page lists all exported functions in NSS 3.11.7 It was ported from here.

311

mozilla_projects _nss_reference_nss_initialize

NSS_Initialize - initialize NSS.

312

mozilla_projects_ns s_reference_nss_key_functions

NSS

This chapter describes two functions used to manipulate private keys and key databases such as the key3.db database provided with NSS. This was converted from “Chapter 6: Key Functions”.

313

mozilla_projects_nss_r eference_nss_tools_:_certutil

Name    certutil — Manage keys and certificate in both NSS databases and other NSS tokens Synopsis    certutil [options] [[arguments]] Description    The Certificate Database Tool, certutil, is a command-line utility    that can create and modify certificate and key databases.    It can specifically list, generate, modify, or delete certificates, create or    change the password, generate new public and private key pairs,    display the contents of the key database, or delete key pairs within  the key database.    Certificate issuance, part of the key and certificate management process, requires that    keys and certificates be created in the key database. This document discusses certificate    and key database management. For information on the  security module database management,    see the modutil manpage. Options and Arguments    Running certutil always requires one and only one command option to    specify the type of certificate operation. Each option may take arguments,    anywhere from none to multiple arguments. The command option -H will list    all the command options available and their relevant arguments.    Command Options    -A           Add an existing certificate to a certificate database.           The certificate database should already exist; if one is           not present, this command option will initialize one by default.    -B           Run a series of commands from the specified batch file.           This requires the -i argument.    -C           Create a new binary certificate file from a binary           certificate request file. Use the -i argument to specify           the certificate request file. If this argument is not           used, certutil prompts for a filename.    -D           Delete a certificate from the certificate database.

314

mozilla_projects_nss_ reference_nss_tools_:_cmsutil

Name

315

mozilla_projects_nss_ reference_nss_tools_:_crlutil

Reference

Name

316

mozilla_projects_nss_ reference_nss_tools_:_modutil

Mozilla, NSS, Reference, Security, Tools, Utilities, modutil

Name

317

mozilla_projects_nss_r eference_nss_tools_:_pk12util

NSS tools : pk12util

318

mozilla_projects_nss _reference_nss_tools_:_ssltab

Name

319

mozilla_projects_nss _reference_nss_tools_:_ssltap

Name

320

mozilla_projects_nss_r eference_nss_tools_:_vfychain

Name

321

mozilla_projects_nss_ reference_nss_tools_:_vfyserv

Name

322

mozilla_pro jects_nss_reference_nss_tools

certutil mozilla_projects_nss_r eference_nss_tools_:_certutil

323

mozilla_projec ts_nss_reference_troubleshoot

Newsgroup: mozilla.dev.tech .crypto

324

mozil la_projects_nss_release_notes

This page lists release notes for older versions of NSS. See mozi lla_projects_nss_nss_releases mozi lla_projects_nss_nss_releases for recent release notes. The links below are provided for historical information.

325

mozilla_ projects_nss_s_mime_functions

NSS

The public functions listed here perform S/MIME operations using the S/MIME Toolkit.

326

mozil la_projects_nss_ssl_functions

NSS

The public functions listed here are used to configure sockets for communication via the SSL and TLS protocols. In addition to the functions listed here, applications that support SSL use some of the Certificate functions, Crypto functions, and Utility functions described below on this page.

327

mozilla_pro jects_nss_ssl_functions_gtstd

This chapter describes how to set up your environment, including certificate and key databases.

328

mozilla_projects_nss_ss l_functions_old_ssl_reference

NSS

New sgroup:mozilla.dev.tech.cr ypto* Writer: Sean Cotter Manager: Wan-Teh Chang*

329

mozilla_pro jects_nss_ssl_functions_pkfnc

330

mozilla_proj ects_nss_ssl_functions_sslcrt

331

mozilla_proj ects_nss_ssl_functions_sslerr

332

mozilla_proj ects_nss_ssl_functions_sslfnc

333

mozilla_projec ts_nss_ssl_functions_sslintro

SSL and related APIs allow compliant applications to configure sockets for authenticated, tamper-proof, and encrypted communications. This chapter introduces some of the basic SSL functions. Chapter 2, “Getting Started With SSL” illustrates their use in sample client and server applications.

334

mozilla_proj ects_nss_ssl_functions_sslkey

335

mozilla_proj ects_nss_ssl_functions_ssltyp

336

mozilla_projects_n ss_tls_cipher_suite_discovery

NSS

In order to communicate securely, an TLS client and TLS server must agree on the cryptographic algorithms and keys that they will both use on the secured connection. They must agree on these items:

337

:re f:mozilla_projects_nss_tools

NSS

Newsgroup: mozilla.dev.tech .crypto

338

mozill a_projects_nss_tools_certutil

Name    certutil — Manage keys and certificate in the NSS database. Synopsis    certutil [options] arguments Description    The Certificate Database Tool, certutil, is a command-line utility that    can create and modify certificate and key database files. It can also    list, generate, modify, or delete certificates within the database, create    or change the password, generate new public and private key pairs, display    the contents of the key database, or delete key pairs within the key    database.    The key and certificate management process generally begins with creating    keys in the key database, then generating and managing certificates in the    certificate database. This document discusses certificate and key database    management. For information security module database management, see the    modutil manpages. Options and Arguments    Running certutil always requires one (and only one) option to specify the    type of certificate operation. Each option may take arguments, anywhere    from none to multiple arguments. Run the command option and -H to see the    arguments available for each command option.    Options    Options specify an action and are uppercase.    -A            Add an existing certificate to a certificate database. The            certificate database should already exist; if one is not present,            this option will initialize one by default.    -B            Run a series of commands from the specified batch file. This            requires the -i argument.    -C            Create a new binary certificate file from a binary certificate            request file. Use the -i argument to specify the certificate            request file. If this argument is not used, certutil prompts for a            filename.    -D            Delete a certificate from the certificate database.    -E            Add an email certificate to the certificate database.    -F            Delete a private key from a key database. Specify the key to            delete with the -n argument. Specify the database from which to            delete the key with the -d argument. Use the -k argument to            specify explicitly whether to delete a DSA, RSA, or ECC key. If            you don’t use the -k argument, the option looks for an RSA key            matching the specified nickname.            When you delete keys, be sure to also remove any certificates            associated with those keys from the certificate database, by using            -D. Some smart cards (for example, the Litronic card) do not let            you remove a public key you have generated. In such a case, only            the private key is deleted from the key pair. You can display the            public key with the command certutil -K -h tokenname.    -G            Generate a new public and private key pair within a key database.            The key database should already exist; if one is not present, this            option will initialize one by default. Some smart cards (for            example, the Litronic card) can store only one key pair. If you            create a new key pair for such a card, the previous pair is            overwritten.    -H            Display a list of the options and arguments used by the            Certificate Database Tool.    -K            List the key ID of keys in the key database. A key ID is the            modulus of the RSA key or the publicValue of the DSA key. IDs are            displayed in hexadecimal (“0x” is not shown).    -L            List all the certificates, or display information about a named            certificate, in a certificate database. Use the -h tokenname            argument to specify the certificate database on a particular            hardware or software token.    -M            Modify a certificate’s trust attributes using the values of the -t            argument.    -N            Create new certificate and key databases.    -O            Print the certificate chain.    -R            Create a certificate request file that can be submitted to a            Certificate Authority (CA) for processing into a finished            certificate. Output defaults to standard out unless you use -o            output-file argument. Use the -a argument to specify ASCII output.    -S            Create an individual certificate and add it to a certificate            database.    -T            Reset the key database or token.    -U            List all available modules or print a single named module.    -V            Check the validity of a certificate and its attributes.    -W            Change the password to a key database.    –merge            Merge a source database into the target database. This is used to            merge legacy NSS databases (cert8.db and key3.db) into the newer            SQLite databases (cert9.db and key4.db).    –upgrade-merge            Upgrade an old database and merge it into a new database. This is            used to migrate legacy NSS databases (cert8.db and key3.db) into            the newer SQLite databases (cert9.db and key4.db).    Arguments    Option arguments modify an action and are lowercase.    -a            Use ASCII format or allow the use of ASCII format for input or            output. This formatting follows RFC 1113. For certificate            requests, ASCII output defaults to standard output unless            redirected.    -b validity-time            Specify a time at which a certificate is required to be valid. Use            when checking certificate validity with the -V option. The format            of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z],            which allows offsets to be set relative to the validity end time.            Specifying seconds (SS) is optional. When specifying an explicit            time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it.            When specifying an offset time, use YYMMDDHHMMSS+HHMM or            YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively.            If this option is not used, the validity check defaults to the            current system time.    -c issuer            Identify the certificate of the CA from which a new certificate            will derive its authenticity. Use the exact nickname or alias of            the CA certificate, or use the CA’s email address. Bracket the            issuer string with quotation marks if it contains spaces.    -d [sql:]directory            Specify the database directory containing the certificate and key            database files.            certutil supports two types of databases: the legacy security            databases (cert8.db, key3.db, and secmod.db) and new SQLite            databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:            is not used, then the tool assumes that the given databases are in            the old format.    -e            Check a certificate’s signature during the process of validating a            certificate.    -f password-file            Specify a file that will automatically supply the password to            include in a certificate or to access a certificate database. This            is a plain-text file containing one password. Be sure to prevent            unauthorized access to this file.    -g keysize            Set a key size to use when generating new public and private key            pairs. The minimum is 512 bits and the maximum is 8192 bits. The            default is 1024 bits. Any size between the minimum and maximum is            allowed.    -h tokenname            Specify the name of a token to use or act on. Unless specified            otherwise the default token is an internal slot (specifically,            internal slot 2). This slot can also be explicitly named with the            string “internal”. An internal slots is a virtual slot maintained            in software, rather than a hardware device. Internal slot 2 is            used by key and certificate services. Internal slot 1 is used by            cryptographic services.    -i input_file            Pass an input file to the command. Depending on the command            option, an input file can be a specific certificate, a certificate            request file, or a batch file of commands.    -k rsa|dsa|ec|all            Specify the type of a key. The valid options are RSA, DSA, ECC, or            all. The default value is rsa. Specifying the type of key can            avoid mistakes caused by duplicate nicknames.    -k key-type-or-id            Specify the type or specific ID of a key. Giving a key type            generates a new key pair; giving the ID of an existing key reuses            that key pair (which is required to renew certificates).    -l            Display detailed information when validating a certificate with            the -V option.    -m serial-number            Assign a unique serial number to a certificate being created. This            operation should be performed by a CA. The default serial number            is 0 (zero). Serial numbers are limited to integers.    -n nickname            Specify the nickname of a certificate or key to list, create, add            to a database, modify, or validate. Bracket the nickname string            with quotation marks if it contains spaces.    -o output-file            Specify the output file name for new certificates or binary            certificate requests. Bracket the output-file string with            quotation marks if it contains spaces. If this argument is not            used the output destination defaults to standard output.    -P dbPrefix            Specify the prefix used on the certificate and key database file.            This option is provided as a special case. Changing the names of            the certificate and key databases is not recommended.    -p phone            Specify a contact telephone number to include in new certificates            or certificate requests. Bracket this string with quotation marks            if it contains spaces.    -q pqgfile            Read an alternate PQG value from the specified file when            generating DSA key pairs. If this argument is not used, certutil            generates its own PQG value. PQG files are created with a separate            DSA utility.    -q curve-name            Set the elliptic curve name to use when generating ECC key pairs.            A complete list of ECC curves is given in the help (-H).    -r            Display a certificate’s binary DER encoding when listing            information about that certificate with the -L option.    -s subject            Identify a particular certificate owner for new certificates or            certificate requests. Bracket this string with quotation marks if            it contains spaces. The subject identification format follows RFC            #1485.    -t trustargs            Specify the trust attributes to modify in an existing certificate            or to apply to a certificate when creating it or adding it to a            database. There are three available trust categories for each            certificate, expressed in the order SSL, email, object signing for            each trust setting. In each category position, use none, any, or            all of the attribute codes:               o p - Valid peer               o P - Trusted peer (implies p)               o c - Valid CA               o T - Trusted CA to issue client certificates (implies c)               o C - Trusted CA to issue server certificates (SSL only)                 (implies c)               o u - Certificate can be used for authentication or signing               o w - Send warning (use with other attributes to include a                 warning when the certificate is used in that context)            The attribute codes for the categories are separated by commas,            and the entire set of attributes enclosed by quotation marks. For            example:            -t “TCu,Cu,Tuw”            Use the -L option to see a list of the current certificates and            trust attributes in a certificate database.    -u certusage            Specify a usage context to apply when validating a certificate            with the -V option.            The contexts are the following:               o C (as an SSL client)               o V (as an SSL server)               o S (as an email signer)               o R (as an email recipient)               o O (as an OCSP status responder)               o J (as an object signer)    -v valid-months            Set the number of months a new certificate will be valid. The            validity period begins at the current system time unless an offset            is added or subtracted with the -w option. If this argument is not            used, the default validity period is three months. When this            argument is used, the default three-month period is automatically            added to any value given in the valid-month argument. For example,            using this option to set a value of 3 would cause 3 to be added to            the three-month default, creating a validity period of six months.            You can use negative values to reduce the default period. For            example, setting a value of -2 would subtract 2 from the default            and create a validity period of one month.    -w offset-months            Set an offset from the current system time, in months, for the            beginning of a certificate’s validity period. Use when creating            the certificate or adding it to a database. Express the offset in            integers, using a minus sign (-) to indicate a negative offset. If            this argument is not used, the validity period begins at the            current system time. The length of the validity period is set with            the -v argument.    -X            Force the key and certificate database to open in read-write mode.            This is used with the -U and -L command options.    -x            Use certutil to generate the signature for a certificate being            created or added to a database, rather than obtaining a signature            from a separate CA.    -y exp            Set an alternate exponent value to use in generating a new RSA            public key for the database, instead of the default value of            65537. The available alternate values are 3 and 17.    -z noise-file            Read a seed value from the specified file to generate a new            private and public key pair. This argument makes it possible to            use hardware-generated seed values or manually create a value from            the keyboard. The minimum file size is 20 bytes.    -0 SSO_password            Set a site security officer password on a token.    -1 | –keyUsage keyword,keyword            Set a Netscape Certificate Type Extension in the certificate.            There are several available keywords:               o digital signature               o nonRepudiation

o keyEncipherment

o dataEncipherment               o keyAgreement               o certSigning               o crlSigning               o critical    -2            Add a basic constraint extension to a certificate that is being            created or added to a database. This extension supports the            certificate chain verification process. certutil prompts for the            certificate constraint extension to select.            X.509 certificate extensions are described in RFC 5280.    -3            Add an authority key ID extension to a certificate that is being            created or added to a database. This extension supports the            identification of a particular certificate, from among multiple            certificates associated with one subject name, as the correct            issuer of a certificate. The Certificate Database Tool will prompt            you to select the authority key ID extension.            X.509 certificate extensions are described in RFC 5280.    -4            Add a CRL distribution point extension to a certificate that is            being created or added to a database. This extension identifies            the URL of a certificate’s associated certificate revocation list            (CRL). certutil prompts for the URL.            X.509 certificate extensions are described in RFC 5280.    -5 | –nsCertType keyword,keyword            Add a Netscape certificate type extension to a certificate that is            being created or added to the database. There are several            available keywords:               o sslClient               o sslServer               o smime               o objectSigning               o sslCA               o smimeCA

o objectSigningCA               o critical            X.509 certificate extensions are described in RFC 5280.    -6 | –extKeyUsage keyword,keyword            Add an extended key usage extension to a certificate that is being            created or added to the database. Several keywords are available:               o serverAuth               o clientAuth               o codeSigning

o emailProtection               o timeStamp               o ocspResponder               o stepUp               o critical            X.509 certificate extensions are described in RFC 5280.    -7 emailAddrs            Add a comma-separated list of email addresses to the subject            alternative name extension of a certificate or certificate request            that is being created or added to the database. Subject            alternative name extensions are described in Section 4.2.1.7 of            RFC 3280.    -8 dns-names            Add a comma-separated list of DNS names to the subject alternative            name extension of a certificate or certificate request that is            being created or added to the database. Subject alternative name            extensions are described in Section 4.2.1.7 of RFC 3280.    –extAIA            Add the Authority Information Access extension to the certificate.            X.509 certificate extensions are described in RFC 5280.    –extSIA            Add the Subject Information Access extension to the certificate.            X.509 certificate extensions are described in RFC 5280.    –extCP            Add the Certificate Policies extension to the certificate. X.509            certificate extensions are described in RFC 5280.    –extPM            Add the Policy Mappings extension to the certificate. X.509            certificate extensions are described in RFC 5280.    –extPC            Add the Policy Constraints extension to the certificate. X.509            certificate extensions are described in RFC 5280.    –extIA            Add the Inhibit Any Policy Access extension to the certificate.            X.509 certificate extensions are described in RFC 5280.    –extSKID            Add the Subject Key ID extension to the certificate. X.509            certificate extensions are described in RFC 5280.    –source-dir certdir            Identify the certificate database directory to upgrade.    –source-prefix certdir            Give the prefix of the certificate and key databases to upgrade.    –upgrade-id uniqueID            Give the unique ID of the database to upgrade.    –upgrade-token-name name            Set the name of the token to use while it is being upgraded.    -@ pwfile            Give the name of a password file to use for the database being            upgraded. Usage and Examples    Most of the command options in the examples listed here have more    arguments available. The arguments included in these examples are the most    common ones or are used to illustrate a specific scenario. Use the -H    option to show the complete list of arguments for each command option.    Creating New Security Databases    Certificates, keys, and security modules related to managing certificates    are stored in three related databases:      o cert8.db or cert9.db      o key3.db or key4.db      o secmod.db or pkcs11.txt    These databases must be created before certificates or keys can be    generated.  certutil -N -d [sql:]directory    Creating a Certificate Request    A certificate request contains most or all of the information that is used    to generate the final certificate. This request is submitted separately to    a certificate authority and is then approved by some mechanism    (automatically or by human review). Once the request is approved, then the    certificate is generated.  $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]    The -R command options requires four arguments:      o -k to specify either the key type to generate or, when renewing a        certificate, the existing key pair to use      o -g to set the keysize of the key to generate      o -s to set the subject name of the certificate      o -d to give the security database directory    The new certificate request can be output in ASCII format (-a) or can be    written to a specified file (-o).    For example:  $ certutil -R -k ec -q nistb409 -g 512 -s “CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US” -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer  Generating key.  This may take a few moments…  Certificate request generated by Netscape  Phone: 650-555-0123  Common Name: John Smith  Email: (not ed)  Organization: Example Corp  State: California  Country: US  —–BEGIN NEW CERTIFICATE REQUEST—–  MIIB IDCBywIBADBmMQswCQYDVQQGEwJVUz ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW  MBQG A1UEBxMNTW91bnRhaW4gVmlldzEVMB MGA1UEChMMRXhhbXBsZSBDb3JwMRMw  EQYD VQQDEwpKb2huIFNtaXRoMFwwDQYJKo ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ  KmHn Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio QOKvEjXyQZhit9aThzBVMoSf1Y1S8J  CzdU bCg1+IbnXaECAwEAAaAAMA0GCSqGSI b3DQEBBQUAA0EAryqZvpYrUtQ486Ny  qmty QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB  1hP9Gg==  —–END NEW CERTIFICATE REQUEST—–    Creating a Certificate    A valid certificate must be issued by a trusted CA. This can be done by    specifying a CA certificate (-c) that is stored in the certificate    database. If a CA key pair is not available, you can create a self-signed    certificate using the -x argument with the -S command option.  $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [–extAIA] [–extSIA] [–extCP] [–extPM] [–extPC] [–extIA] [–extSKID]    The series of numbers and –ext* options set certificate extensions that    can be added to the certificate when it is generated by the CA.    For example, this creates a self-signed certificate:  $ certutil -S -s “CN=Example CA” -n my-ca-cert -x -t “C,C,C” -1 -2 -5 -m 3650    From there, new certificates can reference the self-signed certificate:  $ certutil -S -s “CN=My Server Cert” -n my-server-cert -c “my-ca-cert” -t “u,u,u” -1 -5 -6 -8 -m 730    Generating a Certificate from a Certificate Request    When a certificate request is created, a certificate can be generated by    using the request and then referencing a certificate authority signing    certificate (the issuer specified in the -c argument). The issuing    certificate must be in the certificate database in the specified    directory.  certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]    For example:  $ certutil -C -c “my-ca-cert” -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 n onRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com    Generating Key Pairs    Key pairs are generated automatically with a certificate request or    certificate, but they can also be generated independently using the -G    command option.  certutil -G -d [sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name    For example:  $ certutil -G -h lunasa -k ec -g 256 -q sect193r2    Listing Certificates    The -L command option lists all of the certificates listed in the    certificate database. The path to the directory (-d) is required.  $ certutil -L -d sql:/home/my/sharednssdb  Certificate Nickname

Trust Attributes

SSL,S/MIME,JAR/XPI  CA Administrator of Instance pki-ca1’s Example Domain ID     u,u,u  TPS Administrator’s Example Domain ID u,u,u  Google Internet Authority

,,  Certificate Authority - Example Domain CT,C,C    Using additional arguments with -L can return and print the information    for a single, specific certificate. For example, the -n argument passes    the certificate name, while the -a argument prints the certificate in    ASCII format:  $ certutil -L -d sql:/home/my/sharednssdb -a -n “Certificate Authority - Example Domain”  —–BEGIN CERTIFICATE—–  MIID mTCCAoGgAwIBAgIBATANBgkqhkiG9w 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt  cGxl IERvbWFpbjEeMBwGA1UEAxMVQ2VydG lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw  MDQy OTIxNTY1OFoXDTEyMDQxODIxNTY1OF owOTEXMBUGA1UEChMORXhhbXBsZSBE  b21h aW4xHjAcBgNVBAMTFUNlcnRpZmljYX RlIEF1dGhvcml0eTCCASIwDQYJKoZI  hvcN AQEBBQADggEPADCCAQoCggEBAO/bqU li2KwqXFKmMMG93KN1SANzNTXA/Vlf  Tmri h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ p4PUCMqL4ZrSGt901qxkePyZ2dYmM2  Rnel K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI  udeW noPSUn70gLhcj/lvxl7K9BHyD4Sq5C zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2  bP4i RMfloGqsxGuB1evWVDF1haGpFDSPgM nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb  3V0A HKbu80zGllLEt2Zx/WDIrgJEN9yMfg KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB  qDAf BgNVHSMEGDAWgBQATgxHQyRUfKIZtd p55bZlFr+tFzAPBgNVHRMBAf8EBTAD  AQH/ MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/  rRcw RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ UFBzABhilodHRwOi8vbG9jYWxob3N0  Lmxv Y2FsZG9tYWluOjkxODAvY2Evb2NzcD ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk  L3XO 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 KROLWeKVZZZa2E2Hnsvf2uXbk5amKe  lRxd SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm nqkc6t0hhYb1mw/gx8OAAoluQx3biX  JBDx jI73Cf7XUopplHBjjiwyGIJUO8BEZJ 5L+TF4P38MJz1snLtzZpEAX5bl0U76  bfu/ tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 M01kGozW4mmbvsj1cRB9HnsGsqyHCu  U0uj lL1H/RWcjn607+CTeKH9jLMUqCIqPJ NOa+kq/6F7NhNRRiuzASIbZc30BZ5a  nI7q5n1USM3eWQlVXw==  —–END CERTIFICATE—–    Listing Keys    Keys are the original material used to encrypt certificate data. The keys    generated for certificates are stored separately, in the key database.    To list all keys in the database, use the -K command option and the    (required) -d argument to give the path to the directory.  $ certutil -K -d sql:/home/my/sharednssdb  certutil: Checking token “NSS Certificate DB” in slot “NSS User Private Key and Certificate Services                  ”  < 0> rsa 455a6673bde9 375c2887ec8bf8016b3f9f35861d Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID  < 1> rsa 40defeeb522a de11090eacebaaf1196a172127df Example Domain Administrator Cert  < 2> rsa 1d0b06f44f6c 03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert    There are ways to narrow the keys listed in the search results:      o To return a specific key, use the -n name argument with the name of        the key.      o If there are multiple security devices loaded, then the -h tokenname        argument can search a specific token or all tokens.      o If there are multiple key types available, then the -k key-type        argument can search a specific type of key, like RSA, DSA, or ECC.    Listing Security Modules    The devices that can be used to store certificates – both internal    databases and external devices like smart cards – are recognized and used    by loading security modules. The -U command option lists all of the    security modules listed in the secmod.db database. The path to the    directory (-d) is required.  $ certutil -U -d sql:/home/my/sharednssdb      slot: NSS User Private Key and Certificate Services     token: NSS Certificate DB      slot: NSS Internal Cryptographic Services     token: NSS Generic Crypto Services    Adding Certificates to the Database    Existing certificates or certificate requests can be added manually to the    certificate database, even if they were generated elsewhere. This uses the    -A command option.  certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file]    For example:  $ certutil -A -n “CN=My SSL Certificate” -t “u,u,u” -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer    A related command option, -E, is used specifically to add email    certificates to the certificate database. The -E command has the same    arguments as the -A command. The trust arguments for certificates have the    format SSL,S/MIME,Code-signing, so the middle trust settings relate most    to email certificates (though the others can be set). For example:  $ certutil -E -n “CN=John Smith Email Cert” -t “,Pu,” -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer    Deleting Certificates to the Database    Certificates can be deleted from a database using the -D option. The only    required options are to give the security database directory and to    identify the certificate nickname.  certutil -D -d [sql:]directory -n “nickname”    For example:  $ certutil -D -d sql:/home/my/sharednssdb -n “my-ssl-cert”    Validating Certificates    A certificate contains an expiration date in itself, and expired    certificates are easily rejected. However, certificates can also be    revoked before they hit their expiration date. Checking whether a    certificate has been revoked requires validating the certificate.    Validation can also be used to ensure that the certificate is only used    for the purposes it was initially issued for. Validation is carried out by    the -V command option.  certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory    For example, to validate an email certificate:  $ certutil -V -n “John Smith’s Email Cert” -e -u S,R -d sql:/home/my/sharednssdb    Modifying Certificate Trust Settings    The trust settings (which relate to the operations that a certificate is    allowed to be used for) can be changed after a certificate is created or    added to the database. This is especially useful for CA certificates, but    it can be performed for any type of certificate.  certutil -M -n certificate-name -t trust-args -d [sql:]directory    For example:  $ certutil -M -n “My CA Certificate” -d sql:/home/my/sharednssdb -t “CTu,CTu,CTu”    Printing the Certificate Chain    Certificates can be issued in chains because every certificate authority    itself has a certificate; when a CA issues a certificate, it essentially    stamps that certificate with its own fingerprint. The -O prints the full    chain of a certificate, going from the initial CA (the root CA) through    ever intermediary CA to the actual certificate. For example, for an email    certificate with two CAs in the chain:  $ certutil -d sql:/home/my/sharednssdb -O -n “jsmith@example.com”  “Builtin Object Token:Thawte Personal Freemail CA” [E=personal -freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]    “Thawte Personal Freemail Issuing CA - Thawte Consulting” [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]      “(null)” [ E=jsmith@example.com,CN=Thawte Freemail Member]    Resetting a Token    The device which stores certificates – both external hardware devices and    internal software databases – can be blanked and reused. This operation    is performed on the device which stores the data, not directly on the    security databases, so the location must be referenced through the token    name (-h) as well as any directory path. If there is no external token    used, the default value is internal.  certutil -T -d [sql:]directory -h token-name -0 security-officer-password    Many networks have dedicated personnel who handle changes to security    tokens (the security officer). This person must supply the password to    access the specified token. For example:  $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret    Upgrading or Merging the Security Databases    Many networks or applications may be using older BerkeleyDB versions of    the certificate database (cert8.db). Databases can be upgraded to the new    SQLite version of the database (cert9.db) using the –upgrade-merge    command option or existing databases can be merged with the new cert9.db    databases using the —merge command.    The –upgrade-merge command must give information about the original    database and then use the standard arguments (like -d) to give the    information about the new databases. The command also requires information    that the tool uses for the process to upgrade and write over the original    database.  certutil –upgrade-merge -d [sql:]directory [-P dbprefix] –source-dir directory –source-prefix dbprefix –upgrade-id id –upgrade-token-name name [-@ password-file]    For example:  $ certutil –upgrade-merge -d sql:/home/my/sharednssdb –source-dir /opt/my-app/alias/ –source-prefix serverapp- –upgrade-id 1 –upgrade-token-name internal    The –merge command only requires information about the location of the    original database; since it doesn’t change the format of the database, it    can write over information without performing interim step.  certutil –merge -d [sql:]directory [-P dbprefix] –source-dir directory –source-prefix dbprefix [-@ password-file]    For example:  $ certutil –merge -d sql:/home/my/sharednssdb –source-dir /opt/my-app/alias/ –source-prefix serverapp-    Running certutil Commands from a Batch File    A series of commands can be run sequentially from a text file with the -B    command option. The only argument for this specifies the input file.  $ certutil -B -i /path/to/batch-file NSS Database Types    NSS originally used BerkeleyDB databases to store security information.    The last versions of these legacy databases are:      o cert8.db for certificates      o key3.db for keys      o secmod.db for PKCS #11 module information    BerkeleyDB has performance limitations, though, which prevent it from    being easily used by multiple applications simultaneously. NSS has some    flexibility that allows applications to use their own, independent    database engine while keeping a shared database and working around the    access issues. Still, NSS requires more flexibility to provide a truly    shared security database.    In 2009, NSS introduced a new set of databases that are SQLite databases    rather than BerkleyDB. These new databases provide more accessibility and    performance:      o cert9.db for certificates      o key4.db for keys      o pkcs11.txt, which is listing of all of the PKCS #11 modules contained        in a new subdirectory in the security databases directory    Because the SQLite databases are designed to be shared, these are the    shared database type. The shared database type is preferred; the legacy    format is included for backward compatibility.    By default, the tools (certutil, pk12util, modutil) assume that the given    security databases follow the more common legacy type. Using the SQLite    databases must be manually specified by using the sql: prefix with the    given security directory. For example:  $ certutil -L -d sql:/home/my/sharednssdb    To set the shared database type as the default type for the tools, set the    NSS_DEFAULT_DB_TYPE environment variable to sql:  export NSS_DEFAULT_DB_TYPE=”sql”    This line can be set added to the ~/.bashrc file to make the change    permanent.    Most applications do not use the shared database by default, but they can    be configured to use them. For example, this how-to article covers how to    configure Firefox and Thunderbird to use the new shared NSS databases:

https://wiki.m ozilla.org/NSS_Shared_DB_Howto    For an engineering draft on the changes in the shared NSS databases, see    the NSS project wiki:

https:// wiki.mozilla.org/NSS_Shared_DB See Also    pk12util (1)    modutil (1)    certutil has arguments or operations that use features defined in several    IETF RFCs.

http://tools.ietf.org/htm l/rfc5280

http://tools.ietf.org/htm l/rfc1113

http://tools.ietf.org/htm l/rfc1485    The NSS wiki has information on the new database design and how to    configure applications to use it.

https://wiki.m ozilla.org/NSS_Shared_DB_Howto

https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozi lla.org/projects/security/pki/ nss/

339

mozil la_projects_nss_tools_cmsutil

Name    cmsutil — Performs basic cryptograpic operations, such as encryption and    decryption, on Cryptographic Message Syntax (CMS) messages. Synopsis    cmsutil [options] arguments Description    The cmsutil command-line uses the S/MIME Toolkit to perform basic    operations, such as encryption and decryption, on Cryptographic Message    Syntax (CMS) messages.    To run cmsutil, type the command cmsutil option [arguments] where option    and arguments are combinations of the options and arguments listed in the    following section. Each command takes one option. Each option may take    zero or more arguments. To see a usage string, issue the command without    options. Options and Arguments    Options    Options specify an action. Option arguments modify an action. The options    and arguments for the cmsutil command are defined as follows:    -D            Decode a message.    -C            Encrypt a message.    -E            Envelope a message.    -O            Create a certificates-only message.    -S            Sign a message.    Arguments    Option arguments modify an action and are lowercase.    -c content            Use this detached content (decode only).    -d dbdir            Specify the key/certificate database directory (default is “.”)    -e envfile            Specify a file containing an enveloped message for a set of            recipients to which you would like to send an encrypted message.            If this is the first encrypted message for that set of recipients,            a new enveloped message will be created that you can then use for            future messages (encrypt only).    -G            Include a signing time attribute (sign only).    -h num            Generate email headers with info about CMS message (decode only).    -i infile            Use infile as a source of data (default is stdin).    -N nickname            Specify nickname of certificate to sign with (sign only).    -n            Suppress output of contents (decode only).    -o outfile            Use outfile as a destination of data (default is stdout).    -P            Include an S/MIME capabilities attribute.    -p password            Use password as key database password.    -r recipient1,recipient2, …            Specify list of recipients (email addresses) for an encrypted or            enveloped message. For certificates-only message, list of            certificates to send.    -T            Suppress content in CMS message (sign only).    -u certusage            Set type of cert usage (default is certUsageEmailSigner).    -Y ekprefnick            Specify an encryption key preference by nickname. Usage    Encrypt Example  cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r “recipient1,recipient2, …” -e envfile    Decode Example  cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]    Envelope Example  cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r “recipient1,recipient2, …”    Certificate-only Example  cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r “cert1,cert2, . . .”    Sign Message Example  cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] See also    certutil(1) See Also Additional Resources    NSS is maintained in conjunction with PKI and security-related projects    through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,    with a project wiki at [1]http: //pki.fedoraproject.org/wiki/.    For information specifically about NSS, the NSS project wiki is located at

[2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: pki-devel@redhat.com and pki-users@redhat.com    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape and    now with Red Hat.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http ://pki.fedoraproject.org/wiki/    2. http://www.mozi lla.org/projects/security/pki/ nss/

340

mozil la_projects_nss_tools_crlutil

Name    crlutil — List, generate, modify, or delete CRLs within the NSS security    database file(s) and list, create, modify or delete certificates entries    in a particular CRL. Synopsis    crlutil [options] arguments Description    The Certificate Revocation List (CRL) Management Tool, crlutil, is a    command-line utility that can list, generate, modify, or delete CRLs    within the NSS security database file(s) and list, create, modify or    delete certificates entries in a particular CRL.    The key and certificate management process generally begins with creating    keys in the key database, then generating and managing certificates in the    certificate database(see certutil tool) and continues with certificates    expiration or revocation.    This document discusses certificate revocation list management. For    information on security module database management, see Using the Security    Module Database Tool. For information on certificate and key database    management, see Using the Certificate Database Tool.    To run the Certificate Revocation List Management Tool, type the command    crlutil option [arguments]    where options and arguments are combinations of the options and arguments    listed in the following section. Each command takes one option. Each    option may take zero or more arguments. To see a usage string, issue the    command without options, or with the -H option. Options and Arguments    Options    Options specify an action. Option arguments modify an action. The options    and arguments for the crlutil command are defined as follows:    -G            Create new Certificate Revocation List(CRL).    -D            Delete Certificate Revocation List from cert database.    -I            Import a CRL to the cert database    -E            Erase all CRLs of specified type from the cert database    -L            List existing CRL located in cert database file.    -M            Modify existing CRL which can be located in cert db or in            arbitrary file. If located in file it should be encoded in ASN.1            encode format.    -G    Arguments    Option arguments modify an action and are lowercase.    -B            Bypass CA signature checks.    -P dbprefix            Specify the prefix used on the NSS security database files (for            example, my_cert8.db and my_key3.db). This option is provided as a            special case. Changing the names of the certificate and key            databases is not recommended.    -a            Use ASCII format or allow the use of ASCII format for input and            output. This formatting follows RFC #1113.    -c crl-gen-file            Specify script file that will be used to control crl

generation/modification. See crl-cript-file format below. If            options -M|-G is used and -c crl-script-file is not specified,            crlutil will read script data from standard input.    -d directory            Specify the database directory containing the certificate and key            database files. On Unix the Certificate Database Tool defaults to            $HOME/.netscape (that is, ~/.netscape). On Windows NT the default            is the current directory.            The NSS database files must reside in the same directory.    -i crl-import-file            Specify the file which contains the CRL to import    -f password-file            Specify a file that will automatically supply the password to            include in a certificate or to access a certificate database. This            is a plain-text file containing one password. Be sure to prevent            unauthorized access to this file.    -l algorithm-name            Specify a specific signature algorithm. List of possible            algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512    -n nickname            Specify the nickname of a certificate or key to list, create, add            to a database, modify, or validate. Bracket the nickname string            with quotation marks if it contains spaces.    -o output-file            Specify the output file name for new CRL. Bracket the output-file            string with quotation marks if it contains spaces. If this            argument is not used the output destination defaults to standard            output.    -t crl-type            Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -            SEC_CRL_TYPE. This option is obsolete    -u url            Specify the url. CRL Generation script syntax    CRL generation script file has the following syntax:    * Line with comments should have # as a first symbol of a line    * Set “this update” or “next update” CRL fields:    update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ    Field “next update” is optional. Time should be in GeneralizedTime format    (YYYYMMDDhhmmssZ). For example: 20050204153000Z    * Add an extension to a CRL or a crl certificate entry:    addext extension-name critical/non-critical [arg1[arg2 …]]    Where:    extension-name: string value of a name of known extensions.    critical/non-critical: is 1 when extension is critical and 0 otherwise.    arg1, arg2: specific to extension type extension parameters    addext uses the range that was set earlier by addcert and will install an    extension to every cert entries within the range.    * Add certificate entries(s) to CRL:    addcert range date    range: two integer values separated by dash: range of certificates that    will be added by this command. dash is used as a delimiter. Only one cert    will be added if there is no delimiter. date: revocation date of a cert.    Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).    * Remove certificate entry(s) from CRL    rmcert range    Where:    range: two integer values separated by dash: range of certificates that    will be added by this command. dash is used as a delimiter. Only one cert    will be added if there is no delimiter.    * Change range of certificate entry(s) in CRL    range new-range    Where:    new-range: two integer values separated by dash: range of certificates    that will be added by this command. dash is used as a delimiter. Only one    cert will be added if there is no delimiter.    Implemented Extensions    The extensions defined for CRL provide methods for associating additional    attributes with CRLs of theirs entries. For more information see RFC #3280    * Add The Authority Key Identifier extension:    The authority key identifier extension provides a means of identifying the    public key corresponding to the private key used to sign a CRL.    authKeyId critical [key-id | dn cert-serial]    Where:    authKeyIdent: identifies the name of an extension critical: value of 1 of    0. Should be set to 1 if this extension is critical or 0 otherwise.    key-id: key identifier represented in octet string. dn:: is a CA    distinguished name cert-serial: authority certificate serial number.    * Add Issuer Alternative Name extension:    The issuer alternative names extension allows additional identities to be    associated with the issuer of the CRL. Defined options include an rfc822    name (electronic mail address), a DNS name, an IP address, and a URI.    issuerAltNames non-critical name-list    Where:    subjAltNames: identifies the name of an extension should be set to 0 since    this is non-critical extension name-list: comma separated list of names    * Add CRL Number extension:    The CRL number is a non-critical CRL extension which conveys a    monotonically increasing sequence number for a given CRL scope and CRL    issuer. This extension allows users to easily determine when a particular    CRL supersedes another CRL    crlNumber non-critical number    Where:    crlNumber: identifies the name of an extension critical: should be set to    0 since this is non-critical extension number: value of long which    identifies the sequential number of a CRL.    * Add Revocation Reason Code extension:    The reasonCode is a non-critical CRL entry extension that identifies the    reason for the certificate revocation.    reasonCode non-critical code    Where:    reasonCode: identifies the name of an extension non-critical: should be    set to 0 since this is non-critical extension code: the following codes    are available:    unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged    (3), superseded (4), cessationOfOperation (5), certificateHold (6),    removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10)    * Add Invalidity Date extension:    The invalidity date is a non-critical CRL entry extension that provides    the date on which it is known or suspected that the private key was    compromised or that the certificate otherwise became invalid.    invalidityDate non-critical date    Where:    crlNumber: identifies the name of an extension non-critical: should be set    to 0 since this is non-critical extension date: invalidity date of a cert.    Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). Usage    The Certificate Revocation List Management Tool’s capabilities are grouped    as follows, using these combinations of options and arguments. Options and    arguments in square brackets are optional, those without square brackets    are required.    See “Implemented extensions” for more information regarding extensions and    their parameters.    * Creating or modifying a CRL:  crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]    * Listing all CRls or a named CRL:          crlutil -L [-n crl-name] [-d krydir]    * Deleting CRL from db:          crlutil -D -n nickname [-d keydir] [-P dbprefix]    * Erasing CRLs from db:          crlutil -E [-d keydir] [-P dbprefix]    * Deleting CRL from db:            crlutil -D -n nickname [-d keydir] [-P dbprefix]    * Erasing CRLs from db:            crlutil -E [-d keydir] [-P dbprefix]    * Import CRL from file:            crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] See also    certutil(1) See Also Additional Resources    NSS is maintained in conjunction with PKI and security-related projects    through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,    with a project wiki at [1]http: //pki.fedoraproject.org/wiki/.    For information specifically about NSS, the NSS project wiki is located at

[2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: pki-devel@redhat.com and pki-users@redhat.com    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape and    now with Red Hat.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http ://pki.fedoraproject.org/wiki/    2. http://www.mozi lla.org/projects/security/pki/ nss/

341

mozil la_projects_nss_tools_modutil

Name    modutil — Manage PKCS #11 module information within the security module    database. Synopsis    modutil [options] arguments Description    The Security Module Database Tool, modutil, is a command-line utility for    managing PKCS #11 module information both within secmod.db files and    within hardware tokens. modutil can add and delete PKCS #11 modules,    change passwords on security databases, set defaults, list module    contents, enable or disable slots, enable or disable FIPS 140-2    compliance, and assign default providers for cryptographic operations.    This tool can also create certificate, key, and module security database    files.    The tasks associated with security module database management are part of    a process that typically also involves managing key databases and    certificate databases. Options    Running modutil always requires one (and only one) option to specify the    type of module operation. Each option may take arguments, anywhere from    none to multiple arguments.    Options    -add modulename            Add the named PKCS #11 module to the database. Use this option            with the -libfile, -ciphers, and -mechanisms arguments.    -changepw tokenname            Change the password on the named token. If the token has not been            initialized, this option initializes the password. Use this option            with the -pwfile and -newpwfile arguments. A password is            equivalent to a personal identification number (PIN).    -chkfips            Verify whether the module is in the given FIPS mode. true means to            verify that the module is in FIPS mode, while false means to            verify that the module is not in FIPS mode.    -create            Create new certificate, key, and module databases. Use the -dbdir            directory argument to specify a directory. If any of these            databases already exist in a specified directory, modutil returns            an error message.    -default modulename            Specify the security mechanisms for which the named module will be            a default provider. The security mechanisms are specified with the            -mechanisms argument.    -delete modulename            Delete the named module. The default NSS PKCS #11 module cannot be            deleted.    -disable modulename            Disable all slots on the named module. Use the -slot argument to            disable a specific slot.    -enable modulename            Enable all slots on the named module. Use the -slot argument to            enable a specific slot.    -fips [true | false]            Enable (true) or disable (false) FIPS 140-2 compliance for the            default NSS module.    -force            Disable modutil’s interactive prompts so it can be run from a            script. Use this option only after manually testing each planned            operation to check for warnings and to ensure that bypassing the            prompts will cause no security lapses or loss of database            integrity.    -jar JAR-file            Add a new PKCS #11 module to the database using the named JAR            file. Use this command with the -installdir and -tempdir            arguments. The JAR file uses the NSS PKCS #11 JAR format to            identify all the files to be installed, the module’s name, the            mechanism flags, and the cipher flags, as well as any files to be            installed on the target machine, including the PKCS #11 module            library file and other files such as documentation. This is            covered in the JAR installation file section in the man page,            which details the special script needed to perform an installation            through a server or with modutil.    -list [modulename]            Display basic information about the contents of the secmod.db            file. Specifying a modulename displays detailed information about            a particular module and its slots and tokens.    -rawadd            Add the module spec string to the secmod.db database.    -rawlist            Display the module specs for a specified module or for all            loadable modules.    -undefault modulename            Specify the security mechanisms for which the named module will            not be a default provider. The security mechanisms are specified            with the -mechanisms argument.    Arguments    MODULE            Give the security module to access.    MODULESPEC            Give the security module spec to load into the security database.    -ciphers cipher-enable-list            Enable specific ciphers in a module that is being added to the            database. The cipher-enable-list is a colon-delimited list of            cipher names. Enclose this list in quotation marks if it contains            spaces.    -dbdir [sql:]directory            Specify the database directory in which to access or create            security module database files.            modutil supports two types of databases: the legacy security            databases (cert8.db, key3.db, and secmod.db) and new SQLite            databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:            is not used, then the tool assumes that the given databases are in            the old format.    –dbprefix prefix            Specify the prefix used on the database files, such as my_ for            my_cert8.db. This option is provided as a special case. Changing            the names of the certificate and key databases is not recommended.    -installdir root-installation-directory            Specify the root installation directory relative to which files            will be installed by the -jar option. This directory should be one            below which it is appropriate to store dynamic library files, such            as a server’s root directory.    -libfile library-file            Specify a path to a library file containing the implementation of            the PKCS #11 interface module that is being added to the database.    -mechanisms mechanism-list            Specify the security mechanisms for which a particular module will            be flagged as a default provider. The mechanism-list is a            colon-delimited list of mechanism names. Enclose this list in            quotation marks if it contains spaces.            The module becomes a default provider for the listed mechanisms            when those mechanisms are enabled. If more than one module claims            to be a particular mechanism’s default provider, that mechanism’s            default provider is undefined.            modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,            DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for            random number generation), and FRIENDLY (meaning certificates are            publicly readable).    -newpwfile new-password-file            Specify a text file containing a token’s new or replacement            password so that a password can be entered automatically with the            -changepw option.    -nocertdb            Do not open the certificate or key databases. This has several            effects:               o With the -create command, only a module security file is                 created; certificate and key databases are not created.               o With the -jar command, signatures on the JAR file are not                 checked.               o With the -changepw command, the password on the NSS internal                 module cannot be set or changed, since this password is                 stored in the key database.    -pwfile old-password-file            Specify a text file containing a token’s existing password so that            a password can be entered automatically when the -changepw option            is used to change passwords.    -secmod secmodname            Give the name of the security module database (like secmod.db) to            load.    -slot slotname            Specify a particular slot to be enabled or disabled with the            -enable or -disable options.    -string CONFIG_STRING            Pass a configuration string for the module being added to the            database.    -tempdir temporary-directory            Give a directory location where temporary files are created during            the installation by the -jar option. If no temporary directory is            specified, the current directory is used. Usage and Examples    Creating Database Files    Before any operations can be performed, there must be a set of security    databases available. modutil can be used to create these files. The only    required argument is the database that where the databases will be    located.  modutil -create -dbdir [sql:]directory    Adding a Cryptographic Module    Adding a PKCS #11 module means submitting a supporting library file,    enabling its ciphers, and setting default provider status for various    security mechanisms. This can be done by supplying all of the information    through modutil directly or by running a JAR file and install script. For    the most basic case, simply upload the library:  modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]    For example:  modutil -dbdir sql:/home/my/sharednssdb -add “Example PKCS #11 Module” -libfile “/tmp/crypto.so” -mechanisms RSA:DSA:RC2:RANDOM  Using database directory …  Module “Example PKCS #11 Module” added to database.    Installing a Cryptographic Module from a JAR File    PKCS #11 modules can also be loaded using a JAR file, which contains all    of the required libraries and an installation script that describes how to    install the module. The JAR install script is described in more detail in    [1]the section called “JAR Installation File Format”.    The JAR installation script defines the setup information for each    platform that the module can be installed on. For example:  Platforms {     Linux:5.4.08:x86 {        ModuleName { “Example PKCS #11 Module” }        ModuleFile { crypto.so }

DefaultMechanismFlags{0x0000}

CipherEnableFlags{0x0000}        Files {           crypto.so {              Path{ /tmp/crypto.so }           }           setup.sh {              Executable              Path{ /tmp/setup.sh }           }        }     }     Linux:6.0.0:x86 {        EquivalentPlatform { Linux:5.4.08:x86 }     }  }    Both the install script and the required libraries must be bundled in a    JAR file, which is specified with the -jar argument.  modutil -dbdir sql:/home/mt “jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb  This installation JAR file was signed by:  —————- ——————————  SUBJECT NAME**  C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID  Class 3 - Netscape Object Signing, OU=”w ww.verisign.com/repository/CPS  Incorp. by Ref.,LIAB.LTD(c)9 6”, OU=www.verisign.com/CPS Incorp.by Ref  . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3  Organization, OU=”VeriSign, Inc.”, O=VeriSign Trust Network **ISSUER  NAME, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97  VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,  OU=”VeriSign, Inc.”, O=VeriSign Trust Network  —————- ——————————  Do you wish to continue this installation? (y/n) y  Using installer script “installer_script”  Successfully parsed installation script  Current platform is Linux:5.4.08:x86  Using installation parameters for platform Linux:5.4.08:x86  Installed file crypto.so to /tmp/crypto.so  Installed file setup.sh to ./pk11inst.dir/setup.sh  Executing “./pk11inst.dir/setup.sh”…  ”./pk11inst.dir/setup.sh” executed successfully  Installed module “Example PKCS #11 Module” into module database  Installation completed successfully    Adding Module Spec    Each module has information stored in the security database about its    configuration and parameters. These can be added or edited using the    -rawadd command. For the current settings or to see the format of the    module spec in the database, use the -rawlist option.  modutil -rawadd modulespec    Deleting a Module    A specific PKCS #11 module can be deleted from the secmod.db database:  modutil -delete modulename -dbdir [sql:]directory    Displaying Module Information    The secmod.db database contains information about the PKCS #11 modules    that are available to an application or server to use. The list of all    modules, information about specific modules, and database configuration    specs for modules can all be viewed.    To simply get a list of modules in the database, use the -list command.  modutil -list [modulename] -dbdir [sql:]directory    Listing the modules shows the module name, their status, and other    associated security databases for certificates and keys. For example:  modutil -list -dbdir sql:/home/my/sharednssdb  Listing of PKCS #11 Modules  —————————– ——————————    1. NSS Internal PKCS #11 Module           slots: 2 slots attached          status: loaded           slot: NSS Internal Cryptographic Services          token: NSS Generic Crypto Services           slot: NSS User Private Key and Certificate Services          token: NSS Certificate DB  —————————– ——————————    Passing a specific module name with the -list returns details information    about the module itself, like supported cipher mechanisms, version    numbers, serial numbers, and other information about the module and the    token it is loaded on. For example:   modutil -list “NSS Internal PKCS #11 Module” -dbdir sql:/home/my/sharednssdb  —————————– ——————————  Name: NSS Internal PKCS #11 Module  Library file: **Internal ONLY module**  Manufacturer: Mozilla Foundation  Description: NSS Internal Crypto Services  PKCS #11 Version 2.20  Library Version: 3.11  Cipher Enable Flags: None  Default Mechanism Flags: RSA:RC2:RC4:D ES:DH:SHA1:MD5:MD2:SSL:TLS:AES    Slot: NSS Internal Cryptographic Services    Slot Mechanism Flags: RSA:RC2:RC4:D ES:DH:SHA1:MD5:MD2:SSL:TLS:AES    Manufacturer: Mozilla Foundation    Type: Software    Version Number: 3.11    Firmware Version: 0.0    Status: Enabled    Token Name: NSS Generic Crypto Services    Token Manufacturer: Mozilla Foundation    Token Model: NSS 3    Token Serial Number: 0000000000000000    Token Version: 4.0    Token Firmware Version: 0.0    Access: Write Protected    Login Type: Public (no login required)    User Pin: NOT Initialized    Slot: NSS User Private Key and Certificate Services    Slot Mechanism Flags: None    Manufacturer: Mozilla Foundation    Type: Software    Version Number: 3.11    Firmware Version: 0.0    Status: Enabled    Token Name: NSS Certificate DB    Token Manufacturer: Mozilla Foundation    Token Model: NSS 3    Token Serial Number: 0000000000000000    Token Version: 8.3    Token Firmware Version: 0.0    Access: NOT Write Protected    Login Type: Login required    User Pin: Initialized    A related command, -rawlist returns information about the database    configuration for the modules. (This information can be edited by loading    new specs using the -rawadd command.)   modutil -rawlist -dbdir sql:/home/my/sharednssdb   name=”NSS Internal PKCS #11 Module” parameters=”configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly ” NSS=”trustOrder=75 cipherOrder=100 slotParams={0x00000001=[ slotFlags=RSA,RC4,RC2,DES,DH,S HA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical”    Setting a Default Provider for Security Mechanisms    Multiple security modules may provide support for the same security    mechanisms. It is possible to set a specific security module as the    default provider for a specific security mechanism (or, conversely, to    prohibit a provider from supplying those mechanisms).  modutil -default modulename -mechanisms mechanism-list    To set a module as the default provider for mechanisms, use the -default    command with a colon-separated list of mechanisms. The available    mechanisms depend on the module; NSS supplies almost all common    mechanisms. For example:  modutil -default “NSS Internal PKCS #11 Module” -dbdir -mechanisms RSA:DSA:RC2  Using database directory c:databases…  Successfully changed defaults.    Clearing the default provider has the same format:  modutil -undefault “NSS Internal PKCS #11 Module” -dbdir -mechanisms MD2:MD5    Enabling and Disabling Modules and Slots    Modules, and specific slots on modules, can be selectively enabled or    disabled using modutil. Both commands have the same format:  modutil -enable|-disable modulename [-slot slotname]    For example:  modutil -enable “NSS Internal PKCS #11 Module” -slot “NSS Internal Cryptographic Servi ces ” -dbdir .  Slot “NSS Internal Cryptographic Servi ces ” enabled.    Be sure that the appropriate amount of trailing whitespace is after the    slot name. Some slot names have a significant amount of whitespace that    must be included, or the operation will fail.    Enabling and Verifying FIPS Compliance    The NSS modules can have FIPS 140-2 compliance enabled or disabled using    modutil with the -fips option. For example:  modutil -fips true -dbdir sql:/home/my/sharednssdb/  FIPS mode enabled.    To verify that status of FIPS mode, run the -chkfips command with either a    true or false flag (it doesn’t matter which). The tool returns the current    FIPS setting.  modutil -chkfips false -dbdir sql:/home/my/sharednssdb/  FIPS mode enabled.    Changing the Password on a Token    Initializing or changing a token’s password:  modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]  modutil -dbdir sql:/home/my/sharednssdb -changepw “NSS Certificate DB”  Enter old password:  Incorrect password, try again…  Enter old password:  Enter new password:  Re-enter new password:  Token “Communicator Certificate DB” password changed successfully. JAR Installation File Format    When a JAR file is run by a server, by modutil, or by any program that    does not interpret JavaScript, a special information file must be included    to install the libraries. There are several things to keep in mind with    this file:      o It must be declared in the JAR archive’s manifest file.      o The script can have any name.      o The metainfo tag for this is Pkcs11_install_script. To declare        meta-information in the manifest file, put it in a file that is passed        to signtool.    Sample Script    For example, the PKCS #11 installer script could be in the file    pk11install. If so, the metainfo file for signtool includes a line such as    this:  + Pkcs11_install_script: pk11install    The script must define the platform and version number, the module name    and file, and any optional information like supported ciphers and    mechanisms. Multiple platforms can be defined in a single install file.  ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }  Platforms {     WINNT::x86 {        ModuleName { “Example Module” }        ModuleFile { win32/fort32.dll }

DefaultMechanismFlags{0x0001}

DefaultCipherFlags{0x0001}        Files {           win32/setup.exe {              Executable              RelativePath { %temp%/setup.exe }           }           win32/setup.hlp {              RelativePath { %temp%/setup.hlp }           }           win32/setup.cab {              RelativePath { %temp%/setup.cab }           }        }     }     WIN95::x86 {        EquivalentPlatform {WINNT::x86}     }     SUNOS:5.5.1:sparc {        ModuleName { “Example UNIX Module” }        ModuleFile { unix/fort.so }

DefaultMechanismFlags{0x0001}

CipherEnableFlags{0x0001}        Files {           unix/fort.so {

Re lativePath{%root%/lib/fort.so}

AbsolutePath{/u sr/local/netscape/lib/fort.so}

FilePermissions{555}           }           xplat/instr.html {

Relat ivePath{%root%/docs/inst.html}

AbsolutePath{/usr/ local/netscape/docs/inst.html}

FilePermissions{555}           }        }     }     IRIX:6.2:mips {        EquivalentPlatform { SUNOS:5.5.1:sparc }     }  }    Script Grammar    The script is basic Java, allowing lists, key-value pairs, strings, and    combinations of all of them.  –> valuelist  valuelist –> value valuelist                 <null>  value —> key_value_pair              string  key_value_pair –> key { valuelist }  key –> string  string –> simple_string              “complex_string”  simple_string –> [^ \tn"”{“”}”]+  complex_string –> ([^"\rn]|(\")|(\\))+    Quotes and backslashes must be escaped with a backslash. A complex string    must not include newlines or carriage returns.Outside of complex strings,    all white space (for example, spaces, tabs, and carriage returns) is    considered equal and is used only to delimit tokens.    Keys    The Java install file uses keys to define the platform and module    information.    ForwardCompatible gives a list of platforms that are forward compatible.    If the current platform cannot be found in the list of supported    platforms, then the ForwardCompatible list is checked for any platforms    that have the same OS and architecture in an earlier version. If one is    found, its attributes are used for the current platform.    Platforms (required) Gives a list of platforms. Each entry in the list is    itself a key-value pair: the key is the name of the platform and the value    list contains various attributes of the platform. The platform string is    in the format system name:OS release:architecture. The installer obtains    these values from NSPR. OS release is an empty string on non-Unix    operating systems. NSPR supports these platforms:      o AIX (rs6000)      o BSDI (x86)      o FREEBSD (x86)      o HPUX (hppa1.1)      o IRIX (mips)      o LINUX (ppc, alpha, x86)      o MacOS (PowerPC)      o NCR (x86)      o NEC (mips)      o OS2 (x86)      o OSF (alpha)      o ReliantUNIX (mips)      o SCO (x86)      o SOLARIS (sparc)      o SONY (mips)      o SUNOS (sparc)      o UnixWare (x86)      o WIN16 (x86)      o WIN95 (x86)      o WINNT (x86)    For example:  IRIX:6.2:mips  SUNOS:5.5.1:sparc  Linux:2.0.32:x86  WIN95::x86    The module information is defined independently for each platform in the    ModuleName, ModuleFile, and Files attributes. These attributes must be    given unless an EquivalentPlatform attribute is specified.    Per-Platform Keys    Per-platform keys have meaning only within the value list of an entry in    the Platforms list.    ModuleName (required) gives the common name for the module. This name is    used to reference the module by servers and by the modutil tool.    ModuleFile (required) names the PKCS #11 module file for this platform.    The name is given as the relative path of the file within the JAR archive.    Files (required) lists the files that need to be installed for this    module. Each entry in the file list is a key-value pair. The key is the    path of the file in the JAR archive, and the value list contains    attributes of the file. At least RelativePath or AbsolutePath must be    specified for each file.    DefaultMechanismFlags specifies mechanisms for which this module is the    default provider; this is equivalent to the -mechanism option with the    -add command. This key-value pair is a bitstring specified in hexadecimal    (0x) format. It is constructed as a bitwise OR. If the    DefaultMechanismFlags entry is omitted, the value defaults to 0x0.  RSA: 0x00000001  DSA: 0x00000002  RC2: 0x00000004  RC4: 0x00000008  DES: 0x00000010  DH: 0x00000020  FORTEZZA: 0x00000040  RC5: 0x00000080  SHA1: 0x00000100  MD5: 0x00000200  MD2: 0x00000400  RANDOM: 0x08000000  FRIENDLY: 0x10000000  OWN_PW_DEFAULTS: 0x20000000  DISABLE: 0x40000000    CipherEnableFlags specifies ciphers that this module provides that NSS    does not provide (so that the module enables those ciphers for NSS). This    is equivalent to the -cipher argument with the -add command. This key is a    bitstring specified in hexadecimal (0x) format. It is constructed as a    bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults    to 0x0.    EquivalentPlatform specifies that the attributes of the named platform    should also be used for the current platform. This makes it easier when    more than one platform uses the same settings.    Per-File Keys    Some keys have meaning only within the value list of an entry in a Files    list.    Each file requires a path key the identifies where the file is. Either    RelativePath or AbsolutePath must be specified. If both are specified, the    relative path is tried first, and the absolute path is used only if no    relative root directory is provided by the installer program.    RelativePath specifies the destination directory of the file, relative to    some directory decided at install time. Two variables can be used in the    relative path: %root% and %temp%. %root% is replaced at run time with the    directory relative to which files should be installed; for example, it may    be the server’s root directory. The %temp% directory is created at the    beginning of the installation and destroyed at the end. The purpose of    %temp% is to hold executable files (such as setup programs) or files that    are used by these programs. Files destined for the temporary directory are    guaranteed to be in place before any executable file is run; they are not    deleted until all executable files have finished.    AbsolutePath specifies the destination directory of the file as an    absolute path.    Executable specifies that the file is to be executed during the course of    the installation. Typically, this string is used for a setup program    provided by a module vendor, such as a self-extracting setup executable.    More than one file can be specified as executable, in which case the files    are run in the order in which they are specified in the script file.    FilePermissions sets permissions on any referenced files in a string of    octal digits, according to the standard Unix format. This string is a    bitwise OR.  user read: 0400  user write: 0200  user execute: 0100  group read: 0040  group write: 0020  group execute: 0010  other read: 0004  other write: 0002  other execute:       0001    Some platforms may not understand these permissions. They are applied only    insofar as they make sense for the current platform. If this attribute is    omitted, a default of 777 is assumed. NSS Database Types    NSS originally used BerkeleyDB databases to store security information.    The last versions of these legacy databases are:      o cert8.db for certificates      o key3.db for keys      o secmod.db for PKCS #11 module information    BerkeleyDB has performance limitations, though, which prevent it from    being easily used by multiple applications simultaneously. NSS has some    flexibility that allows applications to use their own, independent    database engine while keeping a shared database and working around the    access issues. Still, NSS requires more flexibility to provide a truly    shared security database.    In 2009, NSS introduced a new set of databases that are SQLite databases    rather than BerkleyDB. These new databases provide more accessibility and    performance:      o cert9.db for certificates      o key4.db for keys      o pkcs11.txt, which is listing of all of the PKCS #11 modules contained        in a new subdirectory in the security databases directory    Because the SQLite databases are designed to be shared, these are the    shared database type. The shared database type is preferred; the legacy    format is included for backward compatibility.    By default, the tools (certutil, pk12util, modutil) assume that the given    security databases follow the more common legacy type. Using the SQLite    databases must be manually specified by using the sql: prefix with the    given security directory. For example:  modutil -create -dbdir sql:/home/my/sharednssdb    To set the shared database type as the default type for the tools, set the    NSS_DEFAULT_DB_TYPE environment variable to sql:  export NSS_DEFAULT_DB_TYPE=”sql”    This line can be set added to the ~/.bashrc file to make the change    permanent.    Most applications do not use the shared database by default, but they can    be configured to use them. For example, this how-to article covers how to    configure Firefox and Thunderbird to use the new shared NSS databases:

https://wiki.m ozilla.org/NSS_Shared_DB_Howto    For an engineering draft on the changes in the shared NSS databases, see    the NSS project wiki:

https:// wiki.mozilla.org/NSS_Shared_DB See Also    certutil (1)    pk12util (1)    signtool (1)    The NSS wiki has information on the new database design and how to    configure applications to use it.

https://wiki.m ozilla.org/NSS_Shared_DB_Howto

https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. JAR Installation File Format

file:///tmp/xmlto.6gGxS0/ modutil.pro...r-install-file    2. https://www.mozilla. org/projects/security/pki/nss/

342

mozilla_projects_nss_t ools_nss_tools_certutil-tasks

Newsgroup: mozilla.dev.tech .crypto

343

mozilla_projects _nss_tools_nss_tools_certutil

certificates, x509v3

The Certificate Database Tool is a command-line utility that can create and modify the Netscape Communicator cert8.db and key3.dbdatabase files. It can also list, generate, modify, or delete certificates within the cert8.dbfile and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.

344

mozilla_project s_nss_tools_nss_tools_cmsutil

The cmsutil command-line utility uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.

345

mozilla_project s_nss_tools_nss_tools_crlutil

Newsgroup: mozilla.dev.tech .crypto

346

mozilla_projects_n ss_tools_nss_tools_dbck-tasks

Newsgroup: mozilla.dev.tech .crypto

347

mozilla_projects_nss_ tools_nss_tools_modutil-tasks

Newsgroup: mozilla.dev.tech .crypto

348

mozilla_project s_nss_tools_nss_tools_modutil

The Security Module Database Tool is a command-line utility for managing PKCS #11 module information within secmod.db files or within hardware tokens. You can use the tool to add and delete PKCS #11 modules, change passwords, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create key3.db, cert8.db, and secmod.db security database files.

349

mozilla_projects_nss_t ools_nss_tools_pk12util-tasks

Newsgroup: mozilla.dev.tech .crypto

350

mozilla_projects _nss_tools_nss_tools_pk12util

The PKCS #12 utility makes sharing of certificates among Enterprise server 3.x and any server (Netscape products or non-Netscape products) that supports PKCS#12 possible. The tool allows you to import certificates and keys from pkcs #12 files into NSS or export them and also list certificates and keys in such files.

351

mozilla_projects_nss_ tools_nss_tools_signver-tasks

No summary!

352

mozilla_projects_ns s_tools_nss_tools_sslstrength

A simple command-line client which connects to an SSL-server, and reports back the encryption cipher and strength used.

353

mozilla_projec ts_nss_tools_nss_tools_ssltap

The SSL Debugging Tool is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking.

354

mozill a_projects_nss_tools_pk12util

Name    pk12util — Export and import keys and certificate to or from a PKCS #12    file and the NSS database Synopsis    pk12util [-i p12File [-h tokenname] [-v] [common-options] ] [ -l p12File    [-h tokenname] [-r] [common-options] ] [ -o p12File -n certname [-c    keyCipher] [-C certCipher] [-m|–key_len keyLen] [-n|–cert_key_len    certKeyLen] [common-options] ] [ common-options are: [-d [sql:]directory]    [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w    p12filePasswordFile|-W p12filePassword] ] Description    The PKCS #12 utility, pk12util, enables sharing certificates among any    server that supports PKCS#12. The tool can import certificates and keys    from PKCS#12 files into security databases, export certificates, and list    certificates and keys. Options and Arguments    Options    -i p12file            Import keys and certificates from a PKCS#12 file into a security            database.    -l p12file            List the keys and certificates in PKCS#12 file.    -o p12file            Export keys and certificates from the security database to a            PKCS#12 file.    Arguments    -n certname            Specify the nickname of the cert and private key to export.    -d [sql:]directory            Specify the database directory into which to import to or export            from certificates and keys.            pk12util supports two types of databases: the legacy security            databases (cert8.db, key3.db, and secmod.db) and new SQLite            databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:            is not used, then the tool assumes that the given databases are in            the old format.    -P prefix            Specify the prefix used on the certificate and key databases. This            option is provided as a special case. Changing the names of the            certificate and key databases is not recommended.    -h tokenname            Specify the name of the token to import into or export from.    -v            Enable debug logging when importing.    -k slotPasswordFile            Specify the text file containing the slot’s password.    -K slotPassword            Specify the slot’s password.    -w p12filePasswordFile            Specify the text file containing the pkcs #12 file password.    -W p12filePassword            Specify the pkcs #12 file password.    -c keyCipher            Specify the key encryption algorithm.    -C certCipher            Specify the key cert (overall package) encryption algorithm.    -m | –key-len keyLength            Specify the desired length of the symmetric key to be used to            encrypt the private key.    -n | –cert-key-len certKeyLength            Specify the desired length of the symmetric key to be used to            encrypt the certificates and other meta-data.    -r            Dumps all of the data in raw (binary) form. This must be saved as            a DER file. The default is to return information in a pretty-print            ASCII format, which displays the information about the            certificates and public keys in the p12 file. Return Codes      o 0 - No error      o 1 - User Cancelled      o 2 - Usage error      o 6 - NLS init error      o 8 - Certificate DB open error      o 9 - Key DB open error      o 10 - File initialization error      o 11 - Unicode conversion error      o 12 - Temporary file creation error      o 13 - PKCS11 get slot error      o 14 - PKCS12 decoder start error      o 15 - error read from import file      o 16 - pkcs12 decode error      o 17 - pkcs12 decoder verify error      o 18 - pkcs12 decoder validate bags error      o 19 - pkcs12 decoder import bags error      o 20 - key db conversion version 3 to version 2 error      o 21 - cert db conversion version 7 to version 5 error      o 22 - cert and key dbs patch error      o 23 - get default cert db error      o 24 - find cert by nickname error      o 25 - create export context error      o 26 - PKCS12 add password itegrity error      o 27 - cert and key Safes creation error      o 28 - PKCS12 add cert and key error      o 29 - PKCS12 encode error Examples    Importing Keys and Certificates    The most basic usage of pk12util for importing a certificate or key is the    PKCS#12 input file (-i) and some way to specify the security database    being accessed (either -d for a directory or -h for a token).  pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]    For example:  # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb  Enter a password which will be used to encrypt your keys.  The password should be at least 8 characters long,  and should contain at least one non-alphabetic character.  Enter new password:  Re-enter password:  Enter password for PKCS12 file:  pk12util: PKCS12 IMPORT SUCCESSFUL    Exporting Keys and Certificates    Using the pk12util command to export certificates and keys requires both    the name of the certificate to extract from the database (-n) and the    PKCS#12-formatted output file to write to. There are optional parameters    that can be used to encrypt the file to protect the certificate material.  pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|–key_len keyLen] [-n|–cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]    For example:  # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb  Enter password for PKCS12 file:  Re-enter password:    Listing Keys and Certificates    The information in a .p12 file are not human-readable. The certificates    and keys in the file can be printed (listed) in a human-readable    pretty-print format that shows information for every certificate and any    public keys in the .p12 file.  pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]    For example, this prints the default ASCII output:  # pk12util -l certs.p12  Enter password for PKCS12 file:  Key(shrouded):      Friendly Name: Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID      Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC          Parameters:              Salt:

45:2e:6a:a0:03:4d :7b:a1:63:3c:15:ea:67:37:62:1f              Iteration Count: 1 (0x1)  Certificate:      Data:          Version: 3 (0x2)          Serial Number: 13 (0xd)          Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption          Issuer: “E=personal -freemail@thawte.com,CN=Thawte Personal Freemail C

A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T              own,ST=Western Cape,C=ZA”  ….    Alternatively, the -r prints the certificates and then exports them into    separate DER binary files. This allows the certificates to be fed to    another application that supports .p12 files. Each certificate is written    to a sequentially-number file, beginning with file0001.der and continuing    through file000N.der, incrementing the number for every certificate:  # pk12util -l test.p12 -r  Enter password for PKCS12 file:  Key(shrouded):      Friendly Name: Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID      Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC          Parameters:              Salt:

45:2e:6a:a0:03:4d :7b:a1:63:3c:15:ea:67:37:62:1f              Iteration Count: 1 (0x1)  Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting  Certificate    Friendly Name: Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID Password Encryption    PKCS#12 provides for not only the protection of the private keys but also    the certificate and meta-data associated with the keys. Password-based    encryption is used to protect private keys on export to a PKCS#12 file    and, optionally, the entire package. If no algorithm is specified, the    tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for    private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the    default for the overall package encryption when not in FIPS mode. When in    FIPS mode, there is no package encryption.    The private key is always protected with strong encryption by default.    Several types of ciphers are supported.    Symmetric CBC ciphers for PKCS#5 V2            DES_CBC               o RC2-CBC               o RC5-CBCPad               o DES-EDE3-CBC (the default for key encryption)               o AES-128-CBC               o AES-192-CBC               o AES-256-CBC

o CAMELLIA-128-CBC

o CAMELLIA-192-CBC

o CAMELLIA-256-CBC    PKCS#12 PBE ciphers            PKCS #12 PBE with Sha1 and 128 Bit RC4               o PKCS #12 PBE with Sha1 and 40 Bit RC4               o PKCS #12 PBE with Sha1 and Triple DES CBC               o PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC               o PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC               o PKCS12 V2 PBE with SHA1 and 128 Bit RC4               o PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for                 non-FIPS mode)               o PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc               o PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc               o PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC               o PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC    PKCS#5 PBE ciphers            PKCS #5 Password Based Encryption with MD2 and DES CBC               o PKCS #5 Password Based Encryption with MD5 and DES CBC               o PKCS #5 Password Based Encryption with SHA1 and DES CBC    With PKCS#12, the crypto provider may be the soft token module or an    external hardware module. If the cryptographic module does not support the    requested algorithm, then the next best fit will be selected (usually the    default). If no suitable replacement for the desired algorithm can be    found, the tool returns the error no security module can perform the    requested operation. NSS Database Types    NSS originally used BerkeleyDB databases to store security information.    The last versions of these legacy databases are:      o cert8.db for certificates      o key3.db for keys      o secmod.db for PKCS #11 module information    BerkeleyDB has performance limitations, though, which prevent it from    being easily used by multiple applications simultaneously. NSS has some    flexibility that allows applications to use their own, independent    database engine while keeping a shared database and working around the    access issues. Still, NSS requires more flexibility to provide a truly    shared security database.    In 2009, NSS introduced a new set of databases that are SQLite databases    rather than BerkleyDB. These new databases provide more accessibility and    performance:      o cert9.db for certificates      o key4.db for keys      o pkcs11.txt, which is listing of all of the PKCS #11 modules contained        in a new subdirectory in the security databases directory    Because the SQLite databases are designed to be shared, these are the    shared database type. The shared database type is preferred; the legacy    format is included for backward compatibility.    By default, the tools (certutil, pk12util, modutil) assume that the given    security databases follow the more common legacy type. Using the SQLite    databases must be manually specified by using the sql: prefix with the    given security directory. For example:  # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb    To set the shared database type as the default type for the tools, set the    NSS_DEFAULT_DB_TYPE environment variable to sql:  export NSS_DEFAULT_DB_TYPE=”sql”    This line can be set added to the ~/.bashrc file to make the change    permanent.    Most applications do not use the shared database by default, but they can    be configured to use them. For example, this how-to article covers how to    configure Firefox and Thunderbird to use the new shared NSS databases:

https://wiki.m ozilla.org/NSS_Shared_DB_Howto    For an engineering draft on the changes in the shared NSS databases, see    the NSS project wiki:

https:// wiki.mozilla.org/NSS_Shared_DB See Also    certutil (1)    modutil (1)    The NSS wiki has information on the new database design and how to    configure applications to use it.

https://wiki.m ozilla.org/NSS_Shared_DB_Howto

https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozi lla.org/projects/security/pki/ nss/

355

mozill a_projects_nss_tools_signtool

Name    signtool — Digitally sign objects and files. Synopsis    signtool [-k keyName] -h -H -l -L -M -v -w    -G nickname -s size -b basename [[-c Compression    Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x    name] ] [[-f filename] ] [[-t|–token tokenname] ] [[-e extension] ] [[-o]    ] [[-z] ] [[-X] ] [[–outfile] ] [[–verbose value] ] [[–norecurse] ]    [[–leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ]    [directory-tree] [archive] Description    The Signing Tool, signtool, creates digital signatures and uses a Java    Archive (JAR) file to associate the signatures with files in a directory.    Electronic software distribution over any network involves potential    security problems. To help address some of these problems, you can    associate digital signatures with the files in a JAR archive. Digital    signatures allow SSL-enabled clients to perform two important operations:    * Confirm the identity of the individual, company, or other entity whose    digital signature is associated with the files    * Check whether the files have been tampered with since being signed    If you have a signing certificate, you can use Netscape Signing Tool to    digitally sign files and package them as a JAR file. An object-signing    certificate is a special kind of certificate that allows you to associate    your digital signature with one or more files.    An individual file can potentially be signed with multiple digital    signatures. For example, a commercial software developer might sign the    files that constitute a software product to prove that the files are    indeed from a particular company. A network administrator manager might    sign the same files with an additional digital signature based on a    company-generated certificate to indicate that the product is approved for    use within the company.    The significance of a digital signature is comparable to the significance    of a handwritten signature. Once you have signed a file, it is difficult    to claim later that you didn’t sign it. In some situations, a digital    signature may be considered as legally binding as a handwritten signature.    Therefore, you should take great care to ensure that you can stand behind    any file you sign and distribute.    For example, if you are a software developer, you should test your code to    make sure it is virus-free before signing it. Similarly, if you are a    network administrator, you should make sure, before signing any code, that    it comes from a reliable source and will run correctly with the software    installed on the machines to which you are distributing it.    Before you can use Netscape Signing Tool to sign files, you must have an    object-signing certificate, which is a special certificate whose    associated private key is used to create digital signatures. For testing    purposes only, you can create an object-signing certificate with Netscape    Signing Tool 1.3. When testing is finished and you are ready to    disitribute your software, you should obtain an object-signing certificate    from one of two kinds of sources:    * An independent certificate authority (CA) that authenticates your    identity and charges you a fee. You typically get a certificate from an    independent CA if you want to sign software that will be distributed over    the Internet.    * CA server software running on your corporate intranet or extranet.    Netscape Certificate Management System provides a complete management    solution for creating, deploying, and managing certificates, including CAs    that issue object-signing certificates.    You must also have a certificate for the CA that issues your signing    certificate before you can sign files. If the certificate authority’s    certificate isn’t already installed in your copy of Communicator, you    typically install it by clicking the appropriate link on the certificate    authority’s web site, for example on the page from which you initiated    enrollment for your signing certificate. This is the case for some test    certificates, as well as certificates issued by Netscape Certificate    Management System: you must download the CA certificate in addition to    obtaining your own signing certificate. CA certificates for several    certificate authorities are preinstalled in the Communicator certificate    database.    When you receive an object-signing certificate for your own use, it is    automatically installed in your copy of the Communicator client software.    Communicator supports the public-key cryptography standard known as PKCS    #12, which governs key portability. You can, for example, move an    object-signing certificate and its associated private key from one    computer to another on a credit-card-sized device called a smart card. Options    -b basename            Specifies the base filename for the .rsa and .sf files in the            META-INF directory to conform with the JAR format. For example, -b            signatures causes the files to be named signatures.rsa and            signatures.sf. The default is signtool.    -c#            Specifies the compression level for the -J or -Z option. The            symbol # represents a number from 0 to 9, where 0 means no            compression and 9 means maximum compression. The higher the level            of compression, the smaller the output but the longer the            operation takes. If the -c# option is not used with either the -J            or the -Z option, the default compression value used by both the            -J and -Z options is 6.    -d certdir            Specifies your certificate database directory; that is, the            directory in which you placed your key3.db and cert7.db files. To            specify the current directory, use “-d.” (including the period).            The Unix version of signtool assumes ~/.netscape unless told            otherwise. The NT version of signtool always requires the use of            the -d option to specify where the database files are located.    -e extension            Tells signtool to sign only files with the given extension; for            example, use -e”.class” to sign only Java class files. Note that            with Netscape Signing Tool version 1.1 and later this option can            appear multiple times on one command line, making it possible to            specify multiple file types or classes to include.    -f commandfile            Specifies a text file containing Netscape Signing Tool options and            arguments in keyword=value format. All options and arguments can            be expressed through this file. For more information about the            syntax used with this file, see “Tips and Techniques”.    -i scriptname            Specifies the name of an installer script for SmartUpdate. This            script installs files from the JAR archive in the local system            after SmartUpdate has validated the digital signature. For more            details, see the description of -m that follows. The -i option            provides a straightforward way to provide this information if you            don’t need to specify any metadata other than an installer script.    -j directory            Specifies a special JavaScript directory. This option causes the            specified directory to be signed and tags its entries as inline            JavaScript. This special type of entry does not have to appear in            the JAR file itself. Instead, it is located in the HTML page            containing the inline scripts. When you use signtool -v, these            entries are displayed with the string NOT PRESENT.    -k key … directory            Specifies the nickname (key) of the certificate you want to sign            with and signs the files in the specified directory. The directory            to sign is always specified as the last command-line argument.            Thus, it is possible to write signtool -k MyCert -d . signdir You            may have trouble if the nickname contains a single quotation mark.            To avoid problems, escape the quotation mark using the escape            conventions for your platform. It’s also possible to use the -k            option without signing any files or specifying a directory. For            example, you can use it with the -l option to get detailed            information about a particular signing certificate.    -G nickname            Generates a new private-public key pair and corresponding            object-signing certificate with the given nickname. The newly            generated keys and certificate are installed into the key and            certificate databases in the directory specified by the -d option.            With the NT version of Netscape Signing Tool, you must use the -d            option with the -G option. With the Unix version of Netscape            Signing Tool, omitting the -d option causes the tool to install            the keys and certificate in the Communicator key and certificate            databases. If you are installing the keys and certificate in the            Communicator databases, you must exit Communicator before using            this option; otherwise, you risk corrupting the databases. In all            cases, the certificate is also output to a file named x509.cacert,            which has the MIME-type application/x-x509-ca-cert. Unlike            certificates normally used to sign finished code to be distributed            over a network, a test certificate created with -G is not signed            by a recognized certificate authority. Instead, it is self-signed.            In addition, a single test signing certificate functions as both            an object-signing certificate and a CA. When you are using it to            sign objects, it behaves like an object-signing certificate. When            it is imported into browser software such as Communicator, it            behaves like an object-signing CA and cannot be used to sign            objects. The -G option is available in Netscape Signing Tool 1.0            and later versions only. By default, it produces only RSA            certificates with 1024-byte keys in the internal token. However,            you can use the -s option specify the required key size and the -t            option to specify the token. For more information about the use of            the -G option, see “Generating Test Object-Signing

Certificates””Generating Test Object-Signing Certificates” on page            1241.    -l            Lists signing certificates, including issuing CAs. If any of your            certificates are expired or invalid, the list will so specify.            This option can be used with the -k option to list detailed            information about a particular signing certificate. The -l option            is available in Netscape Signing Tool 1.0 and later versions only.    -J            Signs a directory of HTML files containing JavaScript and creates            as many archive files as are specified in the HTML tags. Even if            signtool creates more than one archive file, you need to supply            the key database password only once. The -J option is available            only in Netscape Signing Tool 1.0 and later versions. The -J            option cannot be used at the same time as the -Z option. If the            -c# option is not used with the -J option, the default compression            value is 6. Note that versions 1.1 and later of Netscape Signing            Tool correctly recognizes the CODEBASE attribute, allows paths to            be expressed for the CLASS and SRC attributes instead of filenames            only, processes LINK tags and parses HTML correctly, and offers            clearer error messages.    -L            Lists the certificates in your database. An asterisk appears to            the left of the nickname for any certificate that can be used to            sign objects with signtool.    –leavearc            Retains the temporary .arc (archive) directories that the -J            option creates. These directories are automatically erased by            default. Retaining the temporary directories can be an aid to            debugging.    -m metafile            Specifies the name of a metadata control file. Metadata is signed            information attached either to the JAR archive itself or to files            within the archive. This metadata can be any ASCII string, but is            used mainly for specifying an installer script. The metadata file            contains one entry per line, each with three fields: field #1:            file specification, or + if you want to specify global metadata            (that is, metadata about the JAR archive itself or all entries in            the archive) field #2: the name of the data you are specifying;            for example: Install-Script field #3: data corresponding to the            name in field #2 For example, the -i option uses the equivalent of            this line: + Install-Script: script.js This example associates a            MIME type with a file: movie.qt MIME-Type: video/quicktime For            information about the way installer script information appears in            the manifest file for a JAR archive, see The JAR Format on            Netscape DevEdge.    -M            Lists the PKCS #11 modules available to signtool, including smart            cards. The -M option is available in Netscape Signing Tool 1.0 and            later versions only. For information on using Netscape Signing            Tool with smart cards, see “Using Netscape Signing Tool with Smart            Cards”. For information on using the -M option to verify            FIPS-140-1 validated mode, see “Netscape Signing Tool and            FIPS-140-1”.    –norecurse            Blocks recursion into subdirectories when signing a directory’s            contents or when parsing HTML.    -o            Optimizes the archive for size. Use this only if you are signing            very large archives containing hundreds of files. This option            makes the manifest files (required by the JAR format) considerably            smaller, but they contain slightly less information.    –outfile outputfile            Specifies a file to receive redirected output from Netscape            Signing Tool.    -p password            Specifies a password for the private-key database. Note that the            password entered on the command line is displayed as plain text.    -s keysize            Specifies the size of the key for generated certificate. Use the            -M option to find out what tokens are available. The -s option can            be used with the -G option only.    -t token            Specifies which available token should generate the key and            receive the certificate. Use the -M option to find out what tokens            are available. The -t option can be used with the -G option only.    -v archive            Displays the contents of an archive and verifies the cryptographic            integrity of the digital signatures it contains and the files with            which they are associated. This includes checking that the            certificate for the issuer of the object-signing certificate is            listed in the certificate database, that the CA’s digital            signature on the object-signing certificate is valid, that the            relevant certificates have not expired, and so on.    –verbosity value            Sets the quantity of information Netscape Signing Tool generates            in operation. A value of 0 (zero) is the default and gives full            information. A value of -1 suppresses most messages, but not error            messages.    -w archive            Displays the names of signers of any files in the archive.    -x directory            Excludes the specified directory from signing. Note that with            Netscape Signing Tool version 1.1 and later this option can appear            multiple times on one command line, making it possible to specify            several particular directories to exclude.    -z            Tells signtool not to store the signing time in the digital            signature. This option is useful if you want the expiration date            of the signature checked against the current date and time rather            than the time the files were signed.    -Z jarfile            Creates a JAR file with the specified name. You must specify this            option if you want signtool to create the JAR file; it does not do            so automatically. If you don’t specify -Z, you must use an            external ZIP tool to create the JAR file. The -Z option cannot be            used at the same time as the -J option. If the -c# option is not            used with the -Z option, the default compression value is 6. The Command File Format    Entries in a Netscape Signing Tool command file have this general format:    keyword=value Everything before the = sign on a single line is a keyword,    and everything from the = sign to the end of line is a value. The value    may include = signs; only the first = sign on a line is interpreted. Blank    lines are ignored, but white space on a line with keywords and values is    assumed to be part of the keyword (if it comes before the equal sign) or    part of the value (if it comes after the first equal sign). Keywords are    case insensitive, values are generally case sensitive. Since the = sign    and newline delimit the value, it should not be quoted.    Subsection    basename            Same as -b option.    compression            Same as -c option.    certdir            Same as -d option.    extension            Same as -e option.    generate            Same as -G option.    installscript            Same as -i option.    javascriptdir            Same as -j option.    htmldir            Same as -J option.    certname            Nickname of certificate, as with -k and -l -k options.    signdir            The directory to be signed, as with -k option.    list            Same as -l option. Value is ignored, but = sign must be present.    listall            Same as -L option. Value is ignored, but = sign must be present.    metafile            Same as -m option.    modules            Same as -M option. Value is ignored, but = sign must be present.    optimize            Same as -o option. Value is ignored, but = sign must be present.    password            Same as -p option.    keysize            Same as -s option.    token            Same as -t option.    verify            Same as -v option.    who            Same as -w option.    exclude            Same as -x option.    notime            Same as -z option. value is ignored, but = sign must be present.    jarfile            Same as -Z option.    outfile            Name of a file to which output and error messages will be            redirected. This option has no command-line equivalent. Extended Examples    The following example will do this and that    Listing Available Signing Certificates    You use the -L option to list the nicknames for all available certificates    and check which ones are signing certificates.  signtool -L  using certificate directory: /u/jsmith/.netscape  S Certificates  - ————    BBN Certificate Services CA Root 1    IBM World Registry CA    VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.    GTE CyberTrust Root CA    Uptime Group Plc. Class 4 CA  * Verisign Object Signing Cert    Integrion CA    GTE CyberTrust Secure Server CA    AT&T Directory Services  * test object signing cert    Uptime Group Plc. Class 1 CA    VeriSign Class 1 Primary CA  - ————  Certificates that can be used to sign objects have *’s to their left.    Two signing certificates are displayed: Verisign Object Signing Cert and    test object signing cert.    You use the -l option to get a list of signing certificates only,    including the signing CA for each.  signtool -l  using certificate directory: /u/jsmith/.netscape  Object signing certificates  ——— ——————————  Verisign Object Signing Cert      Issued by: VeriSign, Inc. - Verisign, Inc.      Expires: Tue May 19, 1998  test object signing cert      Issued by: test object signing cert (Signtool 1.0 Testing  Certificate (960187691))      Expires: Sun May 17, 1998  ——— ——————————    For a list including CAs, use the -L option.    Signing a File    1. Create an empty directory.  mkdir signdir    2. Put some file into it.  echo boo > signdir/test.f    3. Specify the name of your object-signing certificate and sign the    directory.  signtool -k MySignCert -Z testjar.jar signdir  using key “MySignCert”  using certificate directory: /u/jsmith/.netscape  Generating signdir/META-INF/manifest.mf file..  –> test.f  adding signdir/test.f to testjar.jar  Generating signtool.sf file..  Enter Password or Pin for “Communicator Certificate DB”:  adding signdir/META-INF/manifest.mf to testjar.jar  adding signdir/META-INF/signtool.sf to testjar.jar  adding signdir/META-INF/signtool.rsa to testjar.jar  tree “signdir” signed successfully    4. Test the archive you just created.  signtool -v testjar.jar  using certificate directory: /u/jsmith/.netscape  archive “testjar.jar” has passed crypto verification.             status   path       ———— ——————-           verified   test.f    Using Netscape Signing Tool with a ZIP Utility    To use Netscape Signing Tool with a ZIP utility, you must have the utility    in your path environment variable. You should use the zip.exe utility    rather than pkzip.exe, which cannot handle long filenames. You can use a    ZIP utility instead of the -Z option to package a signed archive into a    JAR file after you have signed it:  cd signdir    zip -r ../myjar.jar *    adding: META-INF/ (stored 0%)    adding: META-INF/manifest.mf (deflated 15%)    adding: META-INF/signtool.sf (deflated 28%)    adding: META-INF/signtool.rsa (stored 0%)    adding: text.txt (stored 0%)    Generating the Keys and Certificate    The signtool option -G generates a new public-private key pair and    certificate. It takes the nickname of the new certificate as an argument.    The newly generated keys and certificate are installed into the key and    certificate databases in the directory specified by the -d option. With    the NT version of Netscape Signing Tool, you must use the -d option with    the -G option. With the Unix version of Netscape Signing Tool, omitting    the -d option causes the tool to install the keys and certificate in the    Communicator key and certificate databases. In all cases, the certificate    is also output to a file named x509.cacert, which has the MIME-type    application/x-x509-ca-cert.    Certificates contain standard information about the entity they identify,    such as the common name and organization name. Netscape Signing Tool    prompts you for this information when you run the command with the -G    option. However, all of the requested fields are optional for test    certificates. If you do not enter a common name, the tool provides a    default name. In the following example, the user input is in boldface:  signtool -G MyTestCert  using certificate directory: /u/someuser/.netscape  Enter certificate information. All fields are optional. Acceptable  characters are numbers, letters, spaces, and apostrophes.  certificate common name: Test Object Signing Certificate  organization: Netscape Communications Corp.  organization unit: Server Products Division  state or province: California  country (must be exactly 2 characters): US  username: someuser  email address: someuser@netscape.com  Enter Password or Pin for “Communicator Certificate DB”: [Password will not echo]  generated public/private key pair  certificate request generated  certificate has been signed  certificate “MyTestCert” added to database  Exported certificate to x509.raw and x509.cacert.    The certificate information is read from standard input. Therefore, the    information can be read from a file using the redirection operator (<) in    some operating systems. To create a file for this purpose, enter each of    the seven input fields, in order, on a separate line. Make sure there is a    newline character at the end of the last line. Then run signtool with    standard input redirected from your file as follows:  signtool -G MyTestCert inputfile    The prompts show up on the screen, but the responses will be automatically    read from the file. The password will still be read from the console    unless you use the -p option to give the password on the command line.    Using the -M Option to List Smart Cards    You can use the -M option to list the PKCS #11 modules, including smart    cards, that are available to signtool:  signtool -d “c:netscapeusersjsmith” -M  using certificate directory: c:netscapeusersusername  Listing of PKCS11 modules  —————– ——————————          1. Netscape Internal PKCS #11 Module

(this module is internally loaded)

slots: 2 slots attached

status: loaded            slot: Communicator Internal Cryptographic Services Version 4.0           token: Communicator Generic Crypto Svcs            slot: Communicator User Private Key and Certificate Services           token: Communicator Certificate DB          2. CryptOS

(this is an external module)   DLL name: core32           slots: 1 slots attached          status: loaded            slot: Litronic 210           token:

   Using Netscape Signing Tool and a Smart Card to Sign Files    The signtool command normally takes an argument of the -k option to    specify a signing certificate. To sign with a smart card, you supply only    the fully qualified name of the certificate.    To see fully qualified certificate names when you run Communicator, click    the Security button in Navigator, then click Yours under Certificates in    the left frame. Fully qualified names are of the format smart    card:certificate, for example “MyCard:My Signing Cert”. You use this name    with the -k argument as follows:  signtool -k “MyCard:My Signing Cert” directory    Verifying FIPS Mode    Use the -M option to verify that you are using the FIPS-140-1 module.  signtool -d “c:netscapeusersjsmith” -M  using certificate directory: c:netscapeusersjsmith  Listing of PKCS11 modules  —————– ——————————    1. Netscape Internal PKCS #11 Module            (this module is internally loaded)            slots: 2 slots attached            status: loaded      slot: Communicator Internal Cryptographic Services Version 4.0     token: Communicator Generic Crypto Svcs      slot: Communicator User Private Key and Certificate Services     token: Communicator Certificate DB  —————– ——————————    This Unix example shows that Netscape Signing Tool is using a FIPS-140-1    module:  signtool -d “c:netscapeusersjsmith” -M  using certificate directory: c:netscapeusersjsmith  Enter Password or Pin for “Communicator Certificate DB”: [password will not echo]  Listing of PKCS11 modules  —————– ——————————  1. Netscape Internal FIPS PKCS #11 Module  (this module is internally loaded)  slots: 1 slots attached  status: loaded  slot: Netscape Internal FIPS-140-1 Cryptographic Services  token: Communicator Certificate DB  —————– —————————— See Also    signver (1)    The NSS wiki has information on the new database design and how to    configure applications to use it.

https://wiki.m ozilla.org/NSS_Shared_DB_Howto

https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozi lla.org/projects/security/pki/ nss/

356

mozil la_projects_nss_tools_signver

Name    signver — Verify a detached PKCS#7 signature for a file. Synopsis    signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s    signature_file] [-v] Description    The Signature Verification Tool, signver, is a simple command-line utility    that unpacks a base-64-encoded PKCS#7 signed object and verifies the    digital signature using standard cryptographic techniques. The Signature    Verification Tool can also display the contents of the signed object. Options    -A            Displays all of the information in the PKCS#7 signature.    -V            Verifies the digital signature.    -d [sql:]directory            Specify the database directory which contains the certificates and            keys.            signver supports two types of databases: the legacy security            databases (cert8.db, key3.db, and secmod.db) and new SQLite            databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql:            is not used, then the tool assumes that the given databases are in            the old format.    -a            Sets that the given signature file is in ASCII format.    -i input_file            Gives the input file for the object with signed data.    -o output_file            Gives the output file to which to write the results.    -s signature_file            Gives the input file for the digital signature.    -v            Enables verbose output. Extended Examples   Verifying a Signature    The -V option verifies that the signature in a given signature file is    valid when used to sign the given object (from the input file).  signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb  signatureValid=yes   Printing Signature Data    The -A option prints all of the information contained in a signature file.    Using the -o option prints the signature file information to the given    output file rather than stdout.  signver -A -s signature_file -o output_file NSS Database Types    NSS originally used BerkeleyDB databases to store security information.    The last versions of these legacy databases are:      o cert8.db for certificates      o key3.db for keys      o secmod.db for PKCS #11 module information    BerkeleyDB has performance limitations, though, which prevent it from    being easily used by multiple applications simultaneously. NSS has some    flexibility that allows applications to use their own, independent    database engine while keeping a shared database and working around the    access issues. Still, NSS requires more flexibility to provide a truly    shared security database.    In 2009, NSS introduced a new set of databases that are SQLite databases    rather than BerkleyDB. These new databases provide more accessibility and    performance:      o cert9.db for certificates      o key4.db for keys      o pkcs11.txt, which is listing of all of the PKCS #11 modules contained        in a new subdirectory in the security databases directory    Because the SQLite databases are designed to be shared, these are the    shared database type. The shared database type is preferred; the legacy    format is included for backward compatibility.    By default, the tools (certutil, pk12util, modutil) assume that the given    security databases follow the more common legacy type. Using the SQLite    databases must be manually specified by using the sql: prefix with the    given security directory. For example:  # signver -A -s signature -d sql:/home/my/sharednssdb    To set the shared database type as the default type for the tools, set the    NSS_DEFAULT_DB_TYPE environment variable to sql:  export NSS_DEFAULT_DB_TYPE=”sql”    This line can be set added to the ~/.bashrc file to make the change    permanent.    Most applications do not use the shared database by default, but they can    be configured to use them. For example, this how-to article covers how to    configure Firefox and Thunderbird to use the new shared NSS databases:

https://wiki.m ozilla.org/NSS_Shared_DB_Howto    For an engineering draft on the changes in the shared NSS databases, see    the NSS project wiki:

https:// wiki.mozilla.org/NSS_Shared_DB See Also    signtool (1)    The NSS wiki has information on the new database design and how to    configure applications to use it.      o Setting up the shared NSS database

https://wiki.m ozilla.org/NSS_Shared_DB_Howto      o Engineering and technical information about the shared NSS database

https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozi lla.org/projects/security/pki/ nss/

357

mozi lla_projects_nss_tools_ssltap

Name    ssltap — Tap into SSL connections and display the data going by Synopsis    libssltap [-vhfsxl] [-p port] [hostname:port] Description    The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It    watches TCP connections and displays the data going by. If a connection is    SSL, the data display includes interpreted SSL records and handshaking Options    -v            Print a version string for the tool.    -h            Turn on hex/ASCII printing. Instead of outputting raw data, the            command interprets each record as a numbered line of hex values,            followed by the same data as ASCII characters. The two parts are            separated by a vertical bar. Nonprinting characters are replaced            by dots.    -f            Turn on fancy printing. Output is printed in colored HTML. Data            sent from the client to the server is in blue; the server’s reply            is in red. When used with looping mode, the different connections            are separated with horizontal lines. You can use this option to            upload the output into a browser.    -s            Turn on SSL parsing and decoding. The tool does not automatically            detect SSL sessions. If you are intercepting an SSL connection,            use this option so that the tool can detect and decode SSL            structures.            If the tool detects a certificate chain, it saves the DER-encoded            certificates into files in the current directory. The files are            named cert.0x, where x is the sequence number of the certificate.            If the -s option is used with -h, two separate parts are printed            for each record: the plain hex/ASCII output, and the parsed SSL            output.    -x            Turn on hex/ASCII printing of undecoded data inside parsed SSL            records. Used only with the -s option. This option uses the same            output format as the -h option.    -l prefix            Turn on looping; that is, continue to accept connections rather            than stopping after the first connection is complete.    -p port            Change the default rendezvous port (1924) to another port.            The following are well-known port numbers:            * HTTP 80            * HTTPS 443            * SMTP 25            * FTP 21            * IMAP 143            * IMAPS 993 (IMAP over SSL)            * NNTP 119            * NNTPS 563 (NNTP over SSL) Usage and Examples    You can use the SSL Debugging Tool to intercept any connection    information. Although you can run the tool at its most basic by issuing    the ssltap command with no options other than hostname:port, the    information you get in this way is not very useful. For example, assume    your development machine is called intercept. The simplest way to use the    debugging tool is to execute the following command from a command shell:  $ ssltap www.netscape.com    The program waits for an incoming connection on the default port 1924. In    your browser window, enter the URL http://intercept:1924. The browser    retrieves the requested page from the server at www.netscape.com, but the    page is intercepted and passed on to the browser by the debugging tool on    intercept. On its way to the browser, the data is printed to the command    shell from which you issued the command. Data sent from the client to the    server is surrounded by the following symbols: –> [ data ] Data sent from    the server to the client is surrounded by the following symbols: “left    arrow”– [ data ] The raw data stream is sent to standard output and is    not interpreted in any way. This can result in peculiar effects, such as    sounds, flashes, and even crashes of the command shell window. To output a    basic, printable interpretation of the data, use the -h option, or, if you    are looking at an SSL connection, the -s option. You will notice that the    page you retrieved looks incomplete in the browser. This is because, by    default, the tool closes down after the first connection is complete, so    the browser is not able to load images. To make the tool continue to    accept connections, switch on looping mode with the -l option. The    following examples show the output from commonly used combinations of    options.    Example 1  $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt    Output  Connected to interzone.mcom.com:443  –>; [  alloclen = 66 bytes     [ssl2]  ClientHelloV2 {              version = {0x03, 0x00}

cipher-specs-length = 39 (0x27)              sid-length = 0 (0x00)              challenge-length = 16 (0x10)              cipher-suites = {                  (0x010080) SSL2/RSA/RC4-128/MD5                    (0x020080) SSL2/RSA/RC4-40/MD5                    (0x030080) SSL2/RSA/RC2CBC128/MD5                    (0x040080) SSL2/RSA/RC2CBC40/MD5                    (0x060040) SSL2/RSA/DES64CBC/MD5                    (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5                    (0x000004) SSL3/RSA/RC4-128/MD5                    (0x00ffe0) SS L3/RSA-FIPS/3DES192EDE-CBC/SHA                    (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA                    (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA                    (0x000009) SSL3/RSA/DES64CBC/SHA                    (0x000003) SSL3/RSA/RC4-40/MD5                    (0x000006) SSL3/RSA/RC2CBC40/MD5                    }              session-id = { }              challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3  0x2592 }  }  ]  <– [  SSLRecord {     0: 16 03 00 03 e5

|…..     type    = 22 (handshake)     version = { 3,0 }     length  = 997 (0x3e5)     handshake {     0: 02 00 00 46

|…F        type = 2 (server_hello)        length = 70 (0x000046)              ServerHello {              server_version = {3, 0}              random = {…}     0: 77 8c 6e 26  6c 0c ec c0  d9 58 4f 47  d3 2d 01 45 |  wn&l.ì..XOG.-.E     10: 5c 17 75 43  a7 4c 88 c7  88 64 3c 50  41 48 4f 7f |  .uC§L.Ç.d<PAHO.                    session ID = {                    length = 32                  contents = {..}     0: 14 11 07 a8  2a 31 91 29  11 94 40 37  57 10 a7 32 | …¨*1.)..@7W.§2     10: 56 6f 52 62  fe 3d b3 65  b1 e4 13 0f  52 a3 c8 f6 | VoRbþ=³e±…R£È.           }                 cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5           }     0: 0b 00 02 c5

|…Å        type = 11 (certificate)        length = 709 (0x0002c5)              CertificateChain {              chainlength = 706 (0x02c2)                 Certificate {              size = 703 (0x02bf)                 data = { saved in file ‘cert.001’ }              }           }     0: 0c 00 00 ca

|….           type = 12 (server_key_exchange)           length = 202 (0x0000ca)     0: 0e 00 00 00

|….           type = 14 (server_hello_done)           length = 0 (0x000000)     }  }  ]  –> [  SSLRecord {     0: 16 03 00 00 44

|….D     type    = 22 (handshake)     version = { 3,0 }     length  = 68 (0x44)     handshake {     0: 10 00 00 40

|…@     type = 16 (client_key_exchange)     length = 64 (0x000040)           ClientKeyExchange {              message = {…}           }     }  }  ]  –> [  SSLRecord {     0: 14 03 00 00 01

|…..     type    = 20 (change_cipher_spec)     version = { 3,0 }     length  = 1 (0x1)     0: 01

|.  }  SSLRecord {     0: 16 03 00 00 38

|….8     type    = 22 (handshake)     version = { 3,0 }     length  = 56 (0x38)                 < encrypted >  }  ]  <– [  SSLRecord {     0: 14 03 00 00 01

|…..     type    = 20 (change_cipher_spec)     version = { 3,0 }     length  = 1 (0x1)     0: 01

|.  }  ]  <– [  SSLRecord {     0: 16 03 00 00 38

|….8     type    = 22 (handshake)     version = { 3,0 }     length  = 56 (0x38)                    < encrypted >  }  ]  –> [  SSLRecord {     0: 17 03 00 01 1f

|…..     type    = 23 (application_data)     version = { 3,0 }     length  = 287 (0x11f)                 < encrypted >  }  ]  <– [  SSLRecord {     0: 17 03 00 00 a0

|….     type    = 23 (application_data)     version = { 3,0 }     length  = 160 (0xa0)                 < encrypted >  }  ]  <– [  SSLRecord {  0: 17 03 00 00 df

|….ß     type    = 23 (application_data)     version = { 3,0 }     length  = 223 (0xdf)                 < encrypted >  }  SSLRecord {     0: 15 03 00 00 12

|…..     type    = 21 (alert)     version = { 3,0 }     length  = 18 (0x12)                 < encrypted >  }  ]  Server socket closed.    Example 2    The -s option turns on SSL parsing. Because the -x option is not used in    this example, undecoded values are output as raw data. The output is    routed to a text file.  $ ssltap -s  -p 444 interzone.mcom.com:443 > s.txt    Output  Connected to interzone.mcom.com:443  –> [  alloclen = 63 bytes     [ssl2]  ClientHelloV2 {              version = {0x03, 0x00}

cipher-specs-length = 36 (0x24)              sid-length = 0 (0x00)              challenge-length = 16 (0x10)              cipher-suites = {                    (0x010080) SSL2/RSA/RC4-128/MD5                    (0x020080) SSL2/RSA/RC4-40/MD5                    (0x030080) SSL2/RSA/RC2CBC128/MD5                    (0x060040) SSL2/RSA/DES64CBC/MD5                    (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5                    (0x000004) SSL3/RSA/RC4-128/MD5                    (0x00ffe0) SS L3/RSA-FIPS/3DES192EDE-CBC/SHA                    (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA                    (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA                    (0x000009) SSL3/RSA/DES64CBC/SHA                    (0x000003) SSL3/RSA/RC4-40/MD5                    }                 session-id = { }              challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c  0x3fd0 }  ]  >– [  SSLRecord {     type    = 22 (handshake)     version = { 3,0 }     length  = 997 (0x3e5)     handshake {           type = 2 (server_hello)           length = 70 (0x000046)              ServerHello {              server_version = {3, 0}              random = {…}              session ID = {                 length = 32                 contents = {..}                 }                 cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5              }           type = 11 (certificate)           length = 709 (0x0002c5)              CertificateChain {                 chainlength = 706 (0x02c2)                 Certificate {                    size = 703 (0x02bf)                    data = { saved in file ‘cert.001’ }                 }              }           type = 12 (server_key_exchange)           length = 202 (0x0000ca)           type = 14 (server_hello_done)           length = 0 (0x000000)     }  }  ]  –> [  SSLRecord {     type    = 22 (handshake)     version = { 3,0 }     length  = 68 (0x44)     handshake {           type = 16 (client_key_exchange)           length = 64 (0x000040)              ClientKeyExchange {                 message = {…}              }     }  }  ]  –> [  SSLRecord {     type    = 20 (change_cipher_spec)     version = { 3,0 }     length  = 1 (0x1)  }  SSLRecord {     type    = 22 (handshake)     version = { 3,0 }     length  = 56 (0x38)                 > encrypted >  }  ]  >– [  SSLRecord {     type    = 20 (change_cipher_spec)     version = { 3,0 }     length  = 1 (0x1)  }  ]  >– [  SSLRecord {     type    = 22 (handshake)     version = { 3,0 }     length  = 56 (0x38)                 > encrypted >  }  ]  –> [  SSLRecord {     type    = 23 (application_data)     version = { 3,0 }     length  = 287 (0x11f)                 > encrypted >  }  ]  [  SSLRecord {     type    = 23 (application_data)     version = { 3,0 }     length  = 160 (0xa0)                 > encrypted >  }  ]  >– [  SSLRecord {     type    = 23 (application_data)     version = { 3,0 }     length  = 223 (0xdf)                 > encrypted >  }  SSLRecord {     type    = 21 (alert)     version = { 3,0 }     length  = 18 (0x12)                 > encrypted >  }  ]  Server socket closed.    Example 3    In this example, the -h option turns hex/ASCII format. There is no SSL    parsing or decoding. The output is routed to a text file.  $ ssltap -h  -p 444 interzone.mcom.com:443 > h.txt    Output  Connected to interzone.mcom.com:443  –> [     0: 80 40 01 03  00 00 27 00  00 00 10 01  00 80 02 00 | .@….’………     10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04 | ………@……     20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 00 | ……..á…….     30: 00 06 9b fe  5b 56 96 49  1f 9f ca dd  d5 ba b9 52 | ..þ[V.I.xd9 …º¹R     40: 6f 2d

|o-  ]  <– [     0: 16 03 00 03  e5 02 00 00  46 03 00 7f  e5 0d 1b 1d | ……..F…….     10: 68 7f 3a 79  60 d5 17 3c  1d 9c 96 b3  88 d2 69 3b | h.:y`..<..³.Òi;     20: 78 e2 4b 8b  a6 52 12 4b  46 e8 c2 20  14 11 89 05 | x.K.¦R.KFè. …     30: 4d 52 91 fd  93 e0 51 48  91 90 08 96  c1 b6 76 77 | MR.ý..QH…..¶vw     40: 2a f4 00 08  a1 06 61 a2  64 1f 2e 9b  00 03 00 0b | *ô..¡.a¢d……     50: 00 02 c5 00  02 c2 00 02  bf 30 82 02  bb 30 82 02 | ..Å……0…0..     60: 24 a0 03 02  01 02 02 02  01 36 30 0d  06 09 2a 86 | $ …….60…*.     70: 48 86 f7 0d  01 01 04 05  00 30 77 31  0b 30 09 06 | H.÷……0w1.0..     80: 03 55 04 06  13 02 55 53  31 2c 30 2a  06 03 55 04 | .U….US1,0*..U.     90: 0a 13 23 4e  65 74 73 63  61 70 65 20  43 6f 6d 6d | ..#Netscape Comm     a0: 75 6e 69 63  61 74 69 6f  6e 73 20 43  6f 72 70 6f | unications Corpo     b0: 72 61 74 69  6f 6e 31 11  30 0f 06 03  55 04 0b 13 | ration1.0…U…     c0: 08 48 61 72  64 63 6f 72  65 31 27 30  25 06 03 55 | .Hardcore1’0%..U     d0: 04 03 13 1e  48 61 72 64  63 6f 72 65  20 43 65 72 | ….Hardcore Cer     e0: 74 69 66 69  63 61 74 65  20 53 65 72  76 65 72 20 | tificate Server     f0: 49 49 30 1e  17 0d 39 38  30 35 31 36  30 31 30 33 | II0…9805160103  <additional data lines>  ]  <additional records in same format>  Server socket closed.    Example 4    In this example, the -s option turns on SSL parsing, and the -h option    turns on hex/ASCII format. Both formats are shown for each record. The    output is routed to a text file.  $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt    Output  Connected to interzone.mcom.com:443  –> [     0: 80 3d 01 03  00 00 24 00  00 00 10 01  00 80 02 00 | .=….$………     10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04 | ………@……     20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 03 | ……..á…….     30: 55 e6 e4 99  79 c7 d7 2c  86 78 96 5d  b5 cf e9 |U..yÇxb0 ,.x.]µÏé  alloclen = 63 bytes     [ssl2]  ClientHelloV2 {              version = {0x03, 0x00}

cipher-specs-length = 36 (0x24)              sid-length = 0 (0x00)              challenge-length = 16 (0x10)              cipher-suites = {                    (0x010080) SSL2/RSA/RC4-128/MD5                    (0x020080) SSL2/RSA/RC4-40/MD5                    (0x030080) SSL2/RSA/RC2CBC128/MD5                    (0x040080) SSL2/RSA/RC2CBC40/MD5                    (0x060040) SSL2/RSA/DES64CBC/MD5                    (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5                    (0x000004) SSL3/RSA/RC4-128/MD5                    (0x00ffe0) SS L3/RSA-FIPS/3DES192EDE-CBC/SHA                    (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA                    (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA                    (0x000009) SSL3/RSA/DES64CBC/SHA                    (0x000003) SSL3/RSA/RC4-40/MD5                    }              session-id = { }              challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db  0xcfe9 }  }  ]  <additional records in same formats>  Server socket closed. Usage Tips    When SSL restarts a previous session, it makes use of cached information    to do a partial handshake. If you wish to capture a full SSL handshake,    restart the browser to clear the session id cache.    If you run the tool on a machine other than the SSL server to which you    are trying to connect, the browser will complain that the host name you    are trying to connect to is different from the certificate. If you are    using the default BadCert callback, you can still connect through a    dialog. If you are not using the default BadCert callback, the one you    supply must allow for this possibility. See Also    The NSS Security Tools are also documented at

[1]http://www.mozil la.org/projects/security/pki/n ss/. Additional Resources    NSS is maintained in conjunction with PKI and security-related projects    through Mozilla dn Fedora. The most closely-related project is Dogtag PKI,    with a project wiki at [2]http: //pki.fedoraproject.org/wiki/.    For information specifically about NSS, the NSS project wiki is located at

[3]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: pki-devel@redhat.com and pki-users@redhat.com    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape and    now with Red Hat and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozilla.org/p rojects/secu…/pki/nss/tools    2. http ://pki.fedoraproject.org/wiki/    3. http://www.mozi lla.org/projects/security/pki/ nss/

358

mozill a_projects_nss_tools_vfychain

Name    vfychain — vfychain [options] [revocation options] certfile [[options]    certfile] … Synopsis    vfychain Description    The verification Tool, vfychain, verifies certificate chains. modutil can    add and delete PKCS #11 modules, change passwords on security databases,    set defaults, list module contents, enable or disable slots, enable or    disable FIPS 140-2 compliance, and assign default providers for    cryptographic operations. This tool can also create certificate, key, and    module security database files.    The tasks associated with security module database management are part of    a process that typically also involves managing key databases and    certificate databases. Options    -a            the following certfile is base64 encoded    -b YYMMDDHHMMZ            Validate date (default: now)    -d directory            database directory    -f            Enable cert fetching from AIA URL    -o oid            Set policy OID for cert validation(Format OID.1.2.3)    -p            Use PKIX Library to validate certificate by calling:            * CERT_VerifyCertificate if specified once,            * CERT_PKIXVerifyCert if specified twice and more.    -r            Following certfile is raw binary DER (default)    -t            Following cert is explicitly trusted (overrides db trust)    -u usage            0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email            signer, 5=Email recipient, 6=Object signer,

9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA    -v            Verbose mode. Prints root cert subject(double the argument for            whole root cert info)    -w password            Database password    -W pwfile            Password file            Revocation options for PKIX API (invoked with -pp options) is a            collection of the following flags: [-g type [-h flags] [-m type            [-s flags]] …] …            Where:    -g test-type            Sets status checking test type. Possible values are “leaf” or            “chain”    -g test type            Sets status checking test type. Possible values are “leaf” or            “chain”.    -h test flags            Sets revocation flags for the test type it follows. Possible            flags: “testLocalInfoFirst” and “requireFreshInfo”.    -m method type            Sets method type for the test type it follows. Possible types are            “crl” and “ocsp”.    -s method flags            Sets revocation flags for the method it follows. Possible types            are “doNotUse”, “forbidFetching”, “ignoreDefaultSrc”,            “requireInfo” and “failIfNoInfo”. Additional Resources    For information about NSS and other tools related to NSS (like JSS), check    out the NSS project wiki at

[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates    directly to NSS code changes and releases.    Mailing lists: https://lists.mozill a.org/listinfo/dev-tech-crypto    IRC: Freenode at #dogtag-pki Authors    The NSS tools were written and maintained by developers with Netscape, Red    Hat, and Sun.    Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey    <dlackey@redhat.com>. Copyright    (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. References    Visible links    1. http://www.mozi lla.org/projects/security/pki/ nss/

359

mozil la_projects_nss_tools_vfyserv

Coming soon

360

mozilla _projects_nss_troubleshooting

NSS

On this page, let’s collect information on how to troubleshoot NSS at runtime. Debugging tips, how to enable tracing of the various modules, etc.

361

mozilla_p rojects_nss_utility_functions

NSS

The public functions listed here perform initialization tasks and other services.