Index¶
Found 361 pages:
# |
Page |
Tags and summary |
|---|---|---|
1 |
JSS, NSS, NeedsMigration |
|
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. |
||
2 |
mozilla_projects_nss _an_overview_of_nss_internals |
API, Intermediate, Intro, NSS, Tools |
A High-Level Overview to the Internals of Network Security Services (NSS) Software developed by the Mozilla.org projects traditionally used its own implementation of security protocols and cryptographic algorithms, originally called Netscape Security Services, nowadays called Network Security Services (NSS). NSS is a library written in the C programming language. It’s free and open source software, and many other software projects have decided to use it. In order to support multiple operating systems (OS), it is based on a cross platform portability layer, called the Netscape Portable Runtime (NSPR), which provides cross platform application programming interfaces (APIs) for OS specific APIs like file system access, memory management, network communication, and multithreaded programming. NSS offers lots of functionality; we’ll walk through the list of modules, design principles, and important relevant standards. In order to allow interoperability between software and devices that perform cryptographic operations, NSS conforms to a standard called PKCS#11. (Note that it’s important to look at the number 11, as there are other PKCS standards with different numbers that define quite different topics.) A software or hardware module conforming to the PKCS#11 standard implements an interface of C calls, which allow querying the characteristics and offered services of the module. Multiple elements of NSS’s own modules have been implemented with this interface, and NSS makes use of this interface when talking to those modules. This strategy allows NSS to work with many hardware devices (e.g., to speed up the calculations required for cryptographic operations, or to access smartcards that securely protect a secret key) and software modules (e.g., to allow to load such modules as a plugin that provides additional algorithms or stores key or trust information) that implement the PKCS#11 interface. A core element of NSS is FreeBL, a base library providing hash functions, big number calculations, and cryptographic algorithms. Softoken is an NSS module that exposes most FreeBL functionality as a PKCS#11 module. Some cryptography uses the same secret key for both encrypting and decrypting, for example password based encryption (PBE). This is often sufficient if you encrypt data for yourself, but as soon as you need to exchange signed/encrypted data with communication partners, using public key encryption simplifies the key management. The environment that describes how to use public key encryption is called Public Key Infrastructure (PKI). The public keys that are exchanged between parties are transported using a container; the container is called a certificate, following standard X.509 version 3. A certificate contains lots of other details; for example, it contains a signature by a third party that expresses trust in the ownership relationship for the certificate. The trust assigned by the third party might be restricted to certain uses, which are listed in certificate extensions that are contained in the certificate. Many (if not most) of the operations performed by NSS involve the use of X.509 certificates (often abbreviated as “cert”, unfortunately making it easy to confuse with the term “computer emergency response team“). When checking whether a certificate is trusted or not, it’s necessary to find a relevant trust anchor (root certificate) that represents the signing capability of a trusted third party, usually called a Certificate Authority (CA). A trust anchor is just another X.509 certificate that is already known and has been deliberately marked as trusted by a software vendor, administrators inside an organizational infrastructure, or the software user. NSS ships a predefined set of CA certificates. This set, including their trust assignments, is provided by NSS as a software module, called CKBI (“built-in root certificates”), which also implements the PKCS#11 interface. On an organizational level the contents of the set are managed according to the Mozilla CA policy. On a technical level the set is a binary software module. A cryptographic transaction, such as encryption or decryption related to a data exchange, usually involves working with the X.509 certs of your communication partners (peer). It’s also required that you safely keep your own secret keys that belong to your own certificates. You might want to protect the storage of your secret keys with PBE. You might decide to modify the default trust provided by NSS. All of this requires storing, looking up, and retrieving data. NSS simplifies performing these operations by offering storage and management APIs. NSS doesn’t require the programmer to manage individual files containing individual certificates or keys. Instead, NSS offers to use its own database(s). Once you have imported certificates and keys into the NSS database, you can easily look them up and use them again. Because of NSS’s expectation to operate with an NSS database, it’s mandatory that you perform an initialization call, where you tell NSS which database you will be using. In the most simple scenario, the programmer will provide a directory on your filesystem as a parameter to the init function, and NSS is designed to do the rest. It will detect and open an existing database, or it can create a new one. Alternatively, should you decide that you don’t want to work with any persistent recording of certificates, you may initialize NSS in a no-database mode. Usually, NSS will flush all data to disk as soon as new data has been added to permanent storage. Storage consists of multiple files: a key database file, which contains your secret keys, and a certificate database file which contains the public portion of your own certificates, the certificates of peers or CAs, and a list of trust decisions (such as to not trust a built-in CA, or to explicitly trust other CAs). Examples for the database files are key3.db and cert8.db, where the numbers are file version numbers. A third file contains the list of external PKCS#11 modules that have been registered to be used by NSS. The file could be named secmod.db, but in newer database generations a file named pkcs11.txt is used. Only NSS is allowed to access and manipulate these database files directly; a programmer using NSS must go through the APIs offered by NSS to manipulate the data stored in these files. The programmer’s task is to initialize NSS with the required parameters (such as a database), and NSS will then transparently manage the database files. Most of the time certificates and keys are supposed to be stored in the NSS database. Therefore, after initial import or creation, the programmer usually doesn’t deal with their raw bytes. Instead, the programmer will use lookup functions, and NSS will provide an access handle that will be subsequently used by the application’s code. Those handles are reference counted. NSS will usually create an in-memory (RAM) presentation of certificates, once a certificate has been received from the network, read from disk, or looked up from the database, and prepare in-memory data structures that contain the certificate’s properties, as well as providing a handle for the programmer to use. Once the application is done with a handle, it should be released, allowing NSS to free the associated resources. When working with handles to private keys it’s usually difficult (and undesired) that an application gets access to the raw key data; therefore it may be difficult to extract such data from NSS. The usual minimum requirement is that private keys must be wrapped using a protective layer (such as password-based encryption). The intention is to make it easier to review code for security. The less code that has access to raw secret keys, the less code that must be reviewed. NSS has only limited functionality to look up raw keys. The preferred approach is to use certificates, and to look up certificates by properties such as the contained subject name (information that describes the owner of the certificate). For example, while NSS supports random calculation (creation) of a new public/private key pair, it’s difficult to work with such a raw key pair. The usual approach is to create a certificate signing request (CSR) as soon as an application is done with the creation step, which will have created a handle to the key pair, and which can be used for the necessary related operations, like producing a proof-of-ownership of the private key, which is usually required when submitting the public key with a CSR to a CA. The usual follow up action is receiving a signed certificate from a CA. (However, it’s also possible to use NSS functionality to create a self-signed certificate, which, however, usually won’t be trusted by other parties.) Once received, it’s sufficient to tell NSS to import such a new certificate into the NSS database, and NSS will automatically perform a lookup of the embedded public key, be able to find the associated private key, and subsequently be able to treat it as a personal certificate. (A personal certificate is a certificate for which the private key is in possession, and which could be used for signing data or for decrypting data.) A unique nickname can/should be assigned to the certificate at the time of import, which can later be used to easily identify and retrieve it. It’s important to note that NSS requires strict cleanup for all handles returned by NSS. The application should always call the appropriate dereference (destroy) functions once a handle is no longer needed. This is particularly important for applications that might need to close a database and reinitialize NSS using a different one, without restarting. Such an operation might fail at runtime if data elements are still being referenced. In addition to the FreeBL, Softoken, and CKBI modules, there is an utility library for general operations (e.g., encoding/decoding between data formats, a list of standardized object identifiers (OID)). NSS has an SSL/TLS module that implements the Secure Sockets Layer/Transport Layer Security network protocols, an S/MIME module that implements CMS messaging used by secure email and some instant messaging implementations, a DBM library that implements the classic database storage, and finally a core NSS library for the big set of “everything else”. Newer generations of the database use the SQLite database to allow concurrent access by multiple applications. All of the above are provided as shared libraries. The CRMF library, which is used to produce certain kinds of certificate requests, is available as a library for static linking only. When dealing with certificates (X.509), file formats such as PKCS#12 (certificates and keys), PKCS#7 (signed data), and message formats as CMS, we should mention ASN.1, which is a syntax for storing structured data in a very efficient (small sized) presentation. It was originally developed for telecommunication systems at times where it was critical to minimize data as much as possible (although it still makes sense to use that principle today for good performance). In order to process data available in the ASN.1 format, the usual approach is to parse it and transfer it to a presentation that requires more space but is easier to work with, such as (nested) C data structures. Over the time NSS has received three different ASN.1 parser implementations, each having their own specific properties, advantages and disadvantages, which is why all of them are still being used (nobody has yet dared to replace the older with the newer ones because of risks for side effects). When using the ASN.1 parser(s), a template definition is passed to the parser, which will analyze the ASN.1 data stream accordingly. The templates are usually closely aligned to definitions found in RFC documents. A data block described as DER is usually in ASN.1 format. You must know which data you are expecting, and use the correct template for parsing, based on the context of your software’s interaction. Data described as PEM is a base64 encoded presentation of DER, usually wrapped between human readable BEGIN/END lines. NSS prefers the binary presentation, but is often capable to use base64 or ASCII presentations, especially when importing data from files. A recent development adds support for loading external PEM files that contain private keys, in a software library called nss-pem, which is separately available, but should eventually become a core part of NSS. Looking at the code level, NSS deals with blocks of raw data all the time. The common structure to store such an untyped block is SECItem, which contains a size and an untyped C pointer variable. When dealing with memory, NSS makes use of arenas, which are an attempt to simplify management with the limited offerings of C (because there are no destructors). The idea is to group multiple memory allocations in order to simplify cleanup. Performing an operation often involves allocating many individual data items, and the code might be required to abort a task at many positions in the logic. An arena is requested once processing of a task starts, and all memory allocations that are logically associated to that task are requested from the associated arena. The implementation of arenas makes sure that all individual memory blocks are tracked. Once a task is done, regardless whether it completed or was aborted, the programmer simply needs to release the arena, and all individually allocated blocks will be released automatically. Often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for attackers to extract keys from a memory dump. NSS uses many C data structures. Often NSS has multiple implementations for the same or similar concepts. For example, there are multiple presentations of certificates, and the NSS internals (and sometimes even the application using NSS) might have to convert between them. Key responsibilites of NSS are verification of signatures and certificates. In order to verify a digital signature, we have to look at the application data (e.g., a document that was signed), the signature data block (the digital signature), and a public key (as found in a certificate that is believed to be the signer, e.g., identified by metadata received together with the signature). The signature is verified if it can be shown that the signature data block must have been produced by the owner of the public key (because only that owner has the associated private key). Verifying a certificate (A) requires some additional steps. First, you must identify the potential signer (B) of a certificate (A). This is done by reading the “issuer name” attribute of a certificate (A), and trying to find that issuer certificate (B) (by looking for a certificate that uses that name as its “subject name”). Then you attempt to verify the signature found in (A) using the public key found in (B). It might be necessary to try multiple certificates (B1, B2, …) each having the same subject name. After succeeding, it might be necessary to repeat this procedure recursively. The goal is to eventually find a certificate B (or C or …) that has an appropriate trust assigned (e.g., because it can be found in the CKBI module and the user hasn’t made any overriding trust decisions, or it can be found in a NSS database file managed by the user or by the local environment). After having successfully verified the signatures in a (chain of) issuer certificate(s), we’re still not done with verifying the certificate A. In a PKI it’s suggested/required to perform additional checks. For example: Certificates were valid at the time the signature was made, name in certificates matches the expected signer (check subject name, common name, email, based on application), the trust restrictions recorded inside the certificate (extensions) permit the use (e.g., encryption might be allowed, but not signing), and based on environment/application policy it might be required to perform a revocation check (OCSP or CRL), that asks the issuer(s) of the certificates whether there have been events that made it necessary to revoke the trust (revoke the validity of the cert). Trust anchors contained in the CKBI module are usually self signed, which is defined as having identical subject name and issuer name fields. If a self-signed certificate is marked as explicitly trusted, NSS will skip checking the self-signature for validity. NSS has multiple APIs to perform verification of certificates. There is a classic engine that is very stable and works fine in all simple scenarios, for example if all (B) candidate issuer certificates have the same subject and issuer names and differ by validity period; however, it works only in a limited amount of more advanced scenarios. Unfortunately, the world of certificates has become more complex in the recent past. New Certificate Authorities enter the global PKI market, and in order to get started with their business, they might make deals with established CAs and receive so-called cross-signing-certificates. As a result, when searching for a trust path from (A) to a trusted anchor (root) certificate (Z), the set of candidate issuer certificates might have different issuer names (referring to the second or higher issuer level). As a consequence, it will be necessary to try multiple different alternative routes while searching for (Z), in a recursive manner. Only the newer verification engine (internally named libPKIX) is capable of doing that properly. It’s worth mentioning the Extended Validation (EV) principle, which is an effort by software vendors and CAs to define a stricter set of rules for issuing certificates for web site certificates. Instead of simply verifying that the requester of a certificate is in control of an administrative email address at the desired web site’s domain, it’s required that the CA performs a verification of real world identity documents (such as a company registration document with the country’s authority), and it’s also required that a browser software performs a revocation check with the CA, prior to granting validity to the certificate. In order to distinguish an EV certificate, CAs will embed a policy OID in the certificate, and the browser is expected to verify that a trust chain permits the end entity (EE) certificate to make use of the policy. Only the APIs of the newer libPKIX engine are capable of performing a policy verification. That’s a good opportunity to talk about SSL/TLS connections to servers in general (not just EV, not just websites). Whenever this document mentions SSL, it refers to either SSL or TLS. (TLS is a newer version of SSL with enhanced features.) When establishing an SSL connection to a server, (at least) a server certificate (and its trust chain) is exchanged from the server to the client (e.g., the browser), and the client verifies that the certificate can be verified (including matching the name of the expected destination server). Another part of the handshake between both parties is a key exchange. Because public key encryption is more expensive (more calculations required) than symmetric encryption (where both parties use the same key), a key agreement protocol will be executed, where the public and private keys are used to proof and verify the exchanged initial information. Once the key agreement is done, a symmetric encryption will be used (until a potential re-handshake on an existing channel). The combination of the hash and encryption algorithms used for a SSL connection is called a cipher suite. NSS ships with a set of cipher suites that it supports at a technical level. In addition, NSS ships with a default policy that defines which cipher suites are enabled by default. An application is able to modify the policy used at program runtime, by using function calls to modify the set of enabled cipher suites. If a programmer wants to influence how NSS verifies certificates or how NSS verifies the data presented in a SSL connection handshake, it is possible to register application-defined callback functions which will be called by NSS at the appropriate point of time, and which can be used to override the decisions made by NSS. If you would like to use NSS as a toolkit that implements SSL, remember that you must init NSS first. But if you don’t care about modifying the default trust permanently (recorded on disk), you can use the no-database init calls. When creating the network socket for data exchange, note that you must use the operating system independent APIs provided by NSPR and NSS. It might be interesting to mention a property of the NSPR file descriptors, which are stacked in layers. This means you can define multiple layers that are involved in data processing. A file descriptor has a pointer to the first layer handling the data. That layer has a pointer to a potential second layer, which might have another pointer to a third layer, etc. Each layer defines its own functions for the ope n/close/read/write/poll/select (etc.) functions. When using an SSL network connection, you’ll already have two layers, the basic NSPR layer and an SSL library layer. The Mozilla applications define a third layer where application specific processing is performed. You can find more details in the NSPR reference documents. NSS occassionally has to create outbound network connections, in addition to the connections requested by the application. Examples are retrieving OCSP (Online Certificate Status Protocol) information or downloading a CRL (Certificate Revocation List). However, NSS doesn’t have an implementation to work with network proxies. If you must support proxies in your application, you are able to register your own implementation of an http request callback interface, and NSS can use your application code that supports proxies. When using hashing, encryption, and decryption functions, it is possible to stream data (as opposed to operating on a large buffer). Create a context handle while providing all the parameters required for the operation, then call an “update” function multiple times to pass subsets of the input to NSS. The data will be processed and either returned directly or sent to a callback function registered in the context. When done, you call a finalization function that will flush out any pending data and free the resources. This line is a placeholder for future sections that should explain how libpkix works and is designed. If you want to work with NSS, it’s often helpful to use the command line utilities that are provided by the NSS developers. There are tools for managing NSS databases, for dumping or verifying certificates, for registering PKCS#11 modules with a database, for processing CMS encrypted/signed messages, etc. For example, if you wanted to create your own pair of keys and request a new certificate from a CA, you could use certutil to create an empty database, then use certutil to operate on your database and create a certificate request (which involves creating the desired key pair) and export it to a file, submit the request file to the CA, receive the file from the CA, and import the certificate into your database. You should assign a good nickname to a certificate when importing it, making it easier for you to refer to it later. It should be noted that the first database format that can be accessed simultaneously by multiple applications is key4.db/cert9.db – database files with lower numbers will most likely experience unrecoverable corruption if you access them with multiple applications at the same time. In other words, if your browser or your server operates on an older NSS database format, don’t use the NSS tools to operate on it while the other software is executing. At the time of writing NSS and the Mozilla applications still use the older database file format by default, where each application has its own NSS database. If you require a copy of a certificate stored in an NSS database, including its private key, you can use pk12util to export it to the PKCS#12 file format. If you require it in PEM format, you could use the openssl pkcs12 command (that’s not NSS) to convert the PKCS#12 file to PEM. This line is a placeholder for how to prepare a database, how to dump a cert, and how to convert data. You might have been motivated to work with NSS because it is used by the Mozilla applications such as Firefox, Thunderbird, etc. If you build the Mozilla application, it will automatically build the NSS library, too. However, if you want to work with the NSS command line tools, you will have to follow the standalone NSS build instructions, and build NSS outside of the Mozilla application sources. The key database file will contain at least one symmetric key, which NSS will automatically create on demand, and which will be used to protect your secret (private) keys. The symmetric key can be protected with PBE by setting a master password on the database. As soon as you set a master password, an attacker stealing your key database will no longer be able to get access to your private key, unless the attacker would also succeed in stealing the master password. Now you might be interest in how to get the mozilla_projects_nss _nss_sources_building_testing |
||
3 |
mozill a_projects_nss_blank_function |
NSS |
One-line description of what the function does (more than just what it returns). |
||
4 |
:ref:` mozilla_projects_nss_building` |
Guide, NSS, Security |
This page has detailed information on how to build NSS. Because NSS is a cross-platform library that builds on many different platforms and has many options, it may be complex to build. Please read these instructions carefully before attempting to build. |
||
5 |
mozilla_projec ts_nss_cert_findcertbydercert |
NSS |
Find a certificate in the database that matches a DER-encoded certificate. |
||
6 |
mozilla_projects_n ss_cert_findcertbyissuerandsn |
NSS |
Find a certificate in the database with the given issuer and serial number. |
||
7 |
:r ef:mozilla_projects_nss_certi ficate_download_specification |
NSS |
This document describes the data formats used by NSS 3.x for installing certificates. This document is currently being revised and has not yet been reviewed for accuracy. |
||
8 |
mozilla_proje cts_nss_certificate_functions |
NSS |
The public functions listed here are used to interact with certificate databases. |
||
9 |
mozill a_projects_nss_certverify_log |
NSS |
All the NSS verify functions except, the *VerifyNow() functions, take a parameter called ‘CERTVerifyLog’. If you supply the log parameter, NSS will continue chain validation after each error . The log tells you what the problem was with the chain and what certificate in the chain failed. |
||
10 |
mozil la_projects_nss_code_coverage |
NSS |
No summary! |
||
11 |
mozilla_projec ts_nss_cryptography_functions |
NSS |
The public functions listed here perform cryptographic operations based on the PKCS #11 interface. |
||
12 |
mozilla_projects _nss_deprecated_ssl_functions |
NSS |
The following SSL functions have been replaced with newer versions. The deprecated functions are not supported by the new SSL shared libraries. Applications that want to use the SSL shared libraries must convert to calling the new replacement functions listed below. |
||
13 |
mozil la_projects_nss_encrypt_decryp t_mac_keys_as_session_objects |
Decrypt, Encryption, Example, NSS, Sample code |
Generates encryption/mac keys and uses session objects. |
||
14 |
mozilla_projects_nss_en crypt_decrypt_mac_using_token |
Example, Intermediate, Mozilla, NSS |
Generates encryption/mac keys and uses token for storing. |
||
15 |
: ref:mozilla_projects_nss_faq |
NSS, NeedsUpdate |
NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform development of security-enabled client and server applications. It provides a complete open-source implementation of the crypto libraries used by Mozilla and other companies in the Firefox browser, AOL Instant Messenger (AIM), server products from Red Hat, and other products. |
||
16 |
mozilla_projects_n ss_fips_mode_-_an_explanation |
NSS |
NSS has a “FIPS Mode” that can be enabled when NSS is compiled in a specific way. (Note: Mozilla does not distribute a “FIPS Mode”-ready NSS with Firefox.) This page attempts to provide an informal explanation of what it is, who would use it, and why. |
||
17 |
mozilla_projects _nss_getting_started_with_nss |
Samples WIP |
Network Security Services (NSS) is a base library for cryptographic algorithms and secure network protocols used by Mozilla software. Would you like to get involved and help us to improve the core security of Mozilla Firefox and other applications that make use of NSS? We are looking forward to your contributions! We have a large list of tasks waiting for attention, and we are happy to assist you in identifying areas that match your interest or skills. You can find us on Mozilla IRC in channel `#nss < irc://irc.mozilla.org/#nss>`__ or you could ask your questions on the mozilla.dev.tech.cry pto newsgroup. |
||
18 |
mozilla_proje cts_nss_http_delegation_clone |
Advanced, Guide, NSS |
Up to version 3.11, Legacy documentation connects directly over HTTP to an OCSP responder to make the request and fetch the response. It does so in a blocking fashion, and also directly to the responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail if the network environment requires the use of a proxy. |
||
19 |
mozilla _projects_nss_http_delegation |
Advanced, Guide, NSS |
Up to version 3.11, Legacy documentation connects directly over HTTP to an OCSP responder to make the request and fetch the response. It does so in a blocking fashion, and also directly to the responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail if the network environment requires the use of a proxy. |
||
20 |
moz illa_projects_nss_introduction _to_network_security_services |
Introduction, Mozilla, NSS |
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of communications applications that support SSL, S/MIME, and other Internet security standards. For a general overview of NSS and the standards it supports, see m ozilla_projects_nss_overview. |
||
21 |
mozilla_project s_nss_jss_4_4_0_release_notes |
D |
The Java Security Services (JSS) team has released JSS 4.4.0, which is a minor release. |
||
22 |
: ref:mozilla_projects_nss_jss |
Guide, JSS, NSS, NeedsMigration |
The JSS project has been relocated! |
||
23 |
mozilla_proj ects_nss_jss_4_3_releasenotes |
JSS, NSS |
Network Security Services for Java (JSS) 4.3 is a minor release with the following new features: |
||
24 |
mozilla_project s_nss_jss_4_3_1_release_notes |
JSS, NSPR, NSS |
Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new features: |
||
25 |
:ref :mozilla_projects_nss_jss_bui ld_instructions_for_jss_4_3_x |
JSS |
Newsgroup: mozilla.dev.tech .crypto |
||
26 |
:ref :mozilla_projects_nss_jss_bui ld_instructions_for_jss_4_4_x |
JSS |
Newsgroup: mozilla.dev.tech .crypto |
||
27 |
moz illa_projects_nss_jss_jss_faq |
JSS |
Newsgroup: mozilla.dev.tech.cry pto |
||
28 |
mozilla_projec ts_nss_jss_jss_provider_notes |
Crypto, JSS, Security |
This page has been moved to http://www.do gtagpki.org/wiki/JSS_Provider. |
||
29 |
:r ef:mozilla_projects_nss_jss_m ozilla-jss_jca_provider_notes |
|
Newsgroup:*mozilla.dev.tech .crypto |
||
30 |
mozil la_projects_nss_jss_using_jss |
JSS |
News group:mozilla.dev.tech.cry pto |
||
31 |
mozill a_projects_nss_key_log_format |
|
Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find the key file via Edit→Preferences→Pro tocols→TLS→(Pre)-Master-Secret log filename. |
||
32 |
mozilla_p rojects_nss_memory_allocation |
NSS |
NSS makes extensive use of NSPR’s PLArenaPools for memory allocation. |
||
33 |
mozilla_pr ojects_nss_modutil-tasks_html |
|
No summary! |
||
34 |
mozilla _projects_nss_new_nss_samples |
Example |
This collection of sample code demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. It also demonstrates some best practices in the application of cryptography. |
||
35 |
moz illa_projects_nss_notes_on_tls _-_ssl_3_0_intolerant_servers |
Gecko, NSS, Security |
A number of Netscape 6.x/7.x and Mozilla users have reported that some secure sites – typically sites featuring online transactions or online banking over the HTTPS protocol – do not display any content at all. The connection seems terminated and a blank page is displayed. This is the main symptom of the problem when Mozilla based browsers encounter TLS/SSL 3.0 intolerant servers. |
||
36 |
mozilla_projects_nss_n ss_3_11_10_release_notes_html |
|
Newsgroup: <ahref=”news: mozilla.dev.tech.crypto”=”” news.mozilla.org=””>mozilla. dev.tech.crypto</ahref=”news:> |
||
37 |
mozilla_projects_ns s_nss_3_12_release_notes_html |
|
Newsgroup: mozilla.dev.tech .crypto |
||
38 |
mozilla_projects_nss_ nss_3_12_1_release_notes_html |
|
Newsgroup: mozilla.dev.tech .crypto |
||
39 |
mozilla_projects_nss_ nss_3_12_2_release_notes_html |
|
Newsgroup: mozilla.dev.tech .crypto |
||
40 |
mozilla_projects _nss_nss_3_12_3_release_notes |
|
Newsgroup: mozilla.dev.tech .crypto |
||
41 |
mozilla_projects _nss_nss_3_12_4_release_notes |
|
Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.4 are described in the “Bugs Fixed” section below. |
||
42 |
mozilla_projects _nss_nss_3_12_5_release_notes |
|
Network Security Services (NSS) 3.12.5 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.5 are described in the “Bugs Fixed” section below. |
||
43 |
mozilla_projects _nss_nss_3_12_6_release_notes |
|
Network Security Services (NSS) 3.12.6 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.6 are described in the “Bugs Fixed” section below. |
||
44 |
mozilla_projects _nss_nss_3_12_9_release_notes |
NSS |
Network Security Services (NSS) 3.12.9 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.9 are described in the “Bugs Fixed” section below. |
||
45 |
mozilla_projec ts_nss_nss_3_14_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features: |
||
46 |
mozilla_projects _nss_nss_3_14_1_release_notes |
|
Network Security Services (NSS) 3.14.1 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.1 are described in the “Bugs Fixed” section below. |
||
47 |
mozilla_projects _nss_nss_3_14_2_release_notes |
|
Network Security Services (NSS) 3.14.2 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.2 are described in the “Bugs Fixed” section below. NSS 3.14.2 should be used with NSPR 4.9.5 or newer. |
||
48 |
mozilla_projects _nss_nss_3_14_3_release_notes |
|
Network Security Services (NSS) 3.14.3 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.3 are described in the “Bugs Fixed” section below. |
||
49 |
mozilla_projects _nss_nss_3_14_4_release_notes |
|
Network Security Services (NSS) 3.14.4 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.4 are described in the “Bugs Fixed” section below. |
||
50 |
mozilla_projects _nss_nss_3_14_5_release_notes |
|
Network Security Services (NSS) 3.14.5 is a patch release for NSS 3.14. The bug fixes in NSS 3.14.5 are described in the “Bugs Fixed” section below. |
||
51 |
mozilla_projec ts_nss_nss_3_15_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.15, which is a minor release. |
||
52 |
mozilla_projects _nss_nss_3_15_1_release_notes |
|
Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the “Bugs Fixed” section below. |
||
53 |
mozilla_projects _nss_nss_3_15_2_release_notes |
|
Network Security Services (NSS) 3.15.2 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.2 are described in the “Bugs Fixed” section below. |
||
54 |
mozilla_projects _nss_nss_3_15_3_release_notes |
|
Network Security Services (NSS) 3.15.3 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.3 are described in the “Bugs Fixed” section below. |
||
55 |
mozilla_projects_n ss_nss_3_15_3_1_release_notes |
|
Network Security Services (NSS) 3.15.3.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.3.1 are described in the “Bugs Fixed” section below. |
||
56 |
mozilla_projects _nss_nss_3_15_4_release_notes |
|
Network Security Services (NSS) 3.15.4 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.4 are described in the “Bugs Fixed” section below. |
||
57 |
mozilla_projects _nss_nss_3_15_5_release_notes |
|
Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.5 are described in the “Bugs Fixed” section below. |
||
58 |
mozilla_projec ts_nss_nss_3_16_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.16, which is a minor release. |
||
59 |
mozilla_projects _nss_nss_3_16_1_release_notes |
|
Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.1 are described in the “Bugs Fixed” section below. |
||
60 |
mozilla_projects _nss_nss_3_16_2_release_notes |
|
Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2 are described in the “Bugs Fixed” section below. |
||
61 |
mozilla_projects_n ss_nss_3_16_2_1_release_notes |
Reference, Security |
Network Security Services (NSS) 3.16.2.1 is a patch release for NSS 3.16, based on the NSS 3.16.2 release. The bug fixes in NSS 3.16.2.1 are described in the “Bugs Fixed” section below. |
||
62 |
mozilla_projects_n ss_nss_3_16_2_2_release_notes |
Reference, Security |
Network Security Services (NSS) 3.16.2.2 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2.2 are described in the “Bugs Fixed” section below. |
||
63 |
mozilla_projects_n ss_nss_3_16_2_3_release_notes |
Reference, Security |
Network Security Services (NSS) 3.16.2.3 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.2.3 are described in the “Bugs Fixed” section below. |
||
64 |
mozilla_projects _nss_nss_3_16_3_release_notes |
|
Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.3 are described in the “Bugs Fixed” section below. |
||
65 |
mozilla_projects _nss_nss_3_16_4_release_notes |
|
Network Security Services (NSS) 3.16.4 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.4 are described in the “Bugs Fixed” section below. |
||
66 |
mozilla_projects _nss_nss_3_16_5_release_notes |
Reference, Security |
Network Security Services (NSS) 3.16.5 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.5 are described in the “Bugs Fixed” section below. |
||
67 |
mozilla_projects _nss_nss_3_16_6_release_notes |
Reference, Security |
Network Security Services (NSS) 3.16.6 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.6 are described in the “Bugs Fixed” section below. |
||
68 |
mozilla_projec ts_nss_nss_3_17_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.17, which is a minor release. |
||
69 |
mozilla_projects _nss_nss_3_17_1_release_notes |
Reference, Security |
Network Security Services (NSS) 3.17.1 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.1 are described in the “Bugs Fixed” section below. |
||
70 |
mozilla_projects _nss_nss_3_17_2_release_notes |
|
Network Security Services (NSS) 3.17.2 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.2 are described in the “Bugs Fixed” section below. |
||
71 |
mozilla_projects _nss_nss_3_17_3_release_notes |
Guide, NSS, Security |
Network Security Services (NSS) 3.17.3 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.3 are described in the “Bugs Fixed” section below. |
||
72 |
mozilla_projects _nss_nss_3_17_4_release_notes |
Guide, NSS, Security |
Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. The bug fixes in NSS 3.17.4 are described in the “Bugs Fixed” section below. |
||
73 |
mozilla_projec ts_nss_nss_3_18_release_notes |
Guide, NSS, NeedsContent, Security |
The NSS team has released Network Security Services (NSS) 3.18, which is a minor release. |
||
74 |
mozilla_projects _nss_nss_3_18_1_release_notes |
Networking, Security |
Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18. The bug fixes in NSS 3.18.1 are described in the “Bugs Fixed” section below. |
||
75 |
mozilla_projec ts_nss_nss_3_19_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.19, which is a minor security release. |
||
76 |
mozilla_projects _nss_nss_3_19_1_release_notes |
|
Network Security Services (NSS) 3.19.1 is a security release for NSS 3.19. The bug fixes in NSS 3.19.1 are described in the “Bugs Fixed” section below. |
||
77 |
mozilla_projects _nss_nss_3_19_2_release_notes |
|
Network Security Services (NSS) 3.19.2 is a patch release for NSS 3.19 that addresses compatibility issues in NSS 3.19.1. |
||
78 |
mozilla_projects_n ss_nss_3_19_2_1_release_notes |
|
Network Security Services (NSS) 3.19.2.1 is a patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.1 are described in the “Security Advisories” section below. |
||
79 |
mozilla_projects_n ss_nss_3_19_2_2_release_notes |
|
Network Security Services (NSS) 3.19.2.2 is a security patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.2 are described in the “Security Fixes” section below. |
||
80 |
mozilla_projects_n ss_nss_3_19_2_3_release_notes |
|
Network Security Services (NSS) 3.19.2.3 is a security patch release for NSS 3.19.2. The bug fixes in NSS 3.19.2.3 are described in the “Security Fixes” section below. |
||
81 |
mozilla_projects_n ss_nss_3_19_2_4_release_notes |
NSS |
Network Security Services (NSS) 3.19.2.4 is a security patch release for NSS 3.19.2. The bug fixed in NSS 3.19.2.4 have been described in the “Security Fixes” section below. |
||
82 |
mozilla_projects _nss_nss_3_19_3_release_notes |
|
Network Security Services (NSS) 3.19.3 is a patch release for NSS 3.19. The bug fixes in NSS 3.19.3 are described in the “Bugs Fixed” section below. |
||
83 |
mozilla_projects _nss_nss_3_19_4_release_notes |
|
Network Security Services (NSS) 3.19.4 is a patch release for NSS 3.19. The bug fixes in NSS 3.19.4 are described in the “Security Advisories” section below. |
||
84 |
mozilla_projec ts_nss_nss_3_20_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.20, which is a minor release. |
||
85 |
mozilla_projects _nss_nss_3_20_1_release_notes |
|
Network Security Services (NSS) 3.20.1 is a patch release for NSS 3.20. The bug fixes in NSS 3.20.1 are described in the “Security Advisories” section below. |
||
86 |
mozilla_projects _nss_nss_3_20_2_release_notes |
|
Network Security Services (NSS) 3.20.2 is a security patch release for NSS 3.20. The bug fixes in NSS 3.20.2 are described in the “Security Fixes” section below. |
||
87 |
mozilla_projec ts_nss_nss_3_21_release_notes |
|
2016-01-07, this page has been updated to include additional information about the release. The sections “Security Fixes” and “Acknowledgements” have been added. |
||
88 |
mozilla_projects _nss_nss_3_21_1_release_notes |
|
Network Security Services (NSS) 3.21.1 is a security patch release for NSS 3.21. The bug fixes in NSS 3.21.1 are described in the “Security Fixes” section below. |
||
89 |
mozilla_projects _nss_nss_3_21_2_release_notes |
|
Network Security Services (NSS) 3.21.2 is a security patch release for NSS 3.21.1. The bug fixes in NSS 3.21.2 are described in the “Security Fixes” section below. |
||
90 |
mozilla_projects _nss_nss_3_21_3_release_notes |
|
Network Security Services (NSS) 3.21.3 is a security patch release for NSS 3.21.2. The bug fixes in NSS 3.21.3 are described in the “Security Fixes” section below. |
||
91 |
mozilla_projects _nss_nss_3_21_4_release_notes |
|
Network Security Services (NSS) 3.21.4 is a security patch release for NSS 3.21. The bug fixes in NSS 3.21.4 are described in the “Bugs Fixed” section below. |
||
92 |
mozilla_projec ts_nss_nss_3_22_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. |
||
93 |
mozilla_projects _nss_nss_3_22_1_release_notes |
|
Network Security Services (NSS) 3.22.1 is a patch release for NSS 3.22. The bug fixes in NSS 3.22.1 are described in the “Notable Changes” section below. |
||
94 |
mozilla_projects _nss_nss_3_22_2_release_notes |
|
Network Security Services (NSS) 3.22.2 is a security patch release for NSS 3.22. The bug fixes in NSS 3.22.2 are described in the “Security Fixes” section below. |
||
95 |
mozilla_projects _nss_nss_3_22_3_release_notes |
|
Network Security Services (NSS) 3.22.3 is a patch release for NSS 3.22. The bug fixes in NSS 3.22.3 are described in the “Bugs fixed” section below. |
||
96 |
mozilla_projec ts_nss_nss_3_23_release_notes |
Networking, Security |
The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. |
||
97 |
mozilla_projec ts_nss_nss_3_24_release_notes |
NSS, Release Notes |
The Network Security Services (NSS) team has released NSS 3.24, which is a minor release. |
||
98 |
mozilla_projec ts_nss_nss_3_25_release_notes |
NSS, Release Notes |
The Network Security Services (NSS) team has released NSS 3.25, which is a minor release. |
||
99 |
mozilla_projects _nss_nss_3_25_1_release_notes |
|
Network Security Services (NSS) 3.25.1 is a patch release for NSS 3.25. |
||
100 |
mozilla_projec ts_nss_nss_3_26_release_notes |
NSS, Release Notes |
The Network Security Services (NSS) team has released NSS 3.26, which is a minor release. |
||
101 |
mozilla_projects _nss_nss_3_26_2_release_notes |
|
Network Security Services (NSS) 3.26.2 is a patch release for NSS 3.26. |
||
102 |
mozilla_projec ts_nss_nss_3_27_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.27, which is a minor release. |
||
103 |
mozilla_projects _nss_nss_3_27_1_release_notes |
|
Network Security Services (NSS) 3.27.1 is a patch release for NSS 3.27. |
||
104 |
mozilla_projects _nss_nss_3_27_2_release_notes |
|
Network Security Services (NSS) 3.27.2 is a patch release for NSS 3.27. |
||
105 |
mozilla_projec ts_nss_nss_3_28_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.28, which is a minor release. |
||
106 |
mozilla_projects _nss_nss_3_28_1_release_notes |
|
Network Security Services (NSS) 3.28.1 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.1 are described in the “Bugs Fixed” section below. |
||
107 |
mozilla_projects _nss_nss_3_28_2_release_notes |
|
Network Security Services (NSS) 3.28.2 is a patch release for NSS 3.28. |
||
108 |
mozilla_projects _nss_nss_3_28_3_release_notes |
|
Network Security Services (NSS) 3.28.3 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.3 are described in the “Bugs Fixed” section below. |
||
109 |
mozilla_projects _nss_nss_3_28_4_release_notes |
|
Network Security Services (NSS) 3.28.4 is a security patch release for NSS 3.28. The bug fixes in NSS 3.28.4 are described in the “Bugs Fixed” section below. |
||
110 |
mozilla_projects _nss_nss_3_28_5_release_notes |
|
Network Security Services (NSS) 3.28.5 is a patch release for NSS 3.28. The bug fixes in NSS 3.28.5 are described in the “Bugs Fixed” section below. |
||
111 |
mozilla_projec ts_nss_nss_3_29_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.29, which is a minor release. |
||
112 |
mozilla_projects _nss_nss_3_29_1_release_notes |
|
Network Security Services (NSS) 3.29.1 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.1 are described in the “Bugs Fixed” section below. |
||
113 |
mozilla_projects _nss_nss_3_29_2_release_notes |
|
Network Security Services (NSS) 3.29.2 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.2 are described in the “Bugs Fixed” section below. |
||
114 |
mozilla_projects _nss_nss_3_29_3_release_notes |
|
Network Security Services (NSS) 3.29.3 is a patch release for NSS 3.29. The bug fixes in NSS 3.29.3 are described in the “Bugs Fixed” section below. |
||
115 |
mozilla_projects _nss_nss_3_29_5_release_notes |
|
Network Security Services (NSS) 3.29.5 is a security patch release for NSS 3.29. The bug fixes in NSS 3.29.5 are described in the “Bugs Fixed” section below. |
||
116 |
mozilla_projec ts_nss_nss_3_30_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.30, which is a minor release. |
||
117 |
mozilla_projects _nss_nss_3_30_1_release_notes |
|
Network Security Services (NSS) 3.30.1 is a security patch release for NSS 3.30. The bug fixes in NSS 3.30.1 are described in the “Bugs Fixed” section below. |
||
118 |
mozilla_projects _nss_nss_3_30_2_release_notes |
|
Network Security Services (NSS) 3.30.2 is a patch release for NSS 3.30. The bug fixes in NSS 3.30.2 are described in the “Bugs Fixed” section below. |
||
119 |
mozilla_projec ts_nss_nss_3_31_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.31, which is a minor release. |
||
120 |
mozilla_projects _nss_nss_3_31_1_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.31.1, which is a patch release for NSS 3.31. |
||
121 |
mozilla_projec ts_nss_nss_3_32_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.32, which is a minor release. |
||
122 |
mozilla_projec ts_nss_nss_3_33_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.33, which is a minor release. |
||
123 |
mozilla_projec ts_nss_nss_3_34_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.34, which is a minor release. |
||
124 |
mozilla_projects _nss_nss_3_34_1_release_notes |
|
The Network Security Services (NSS) team has released NSS 3.34.1, which is a minor release. |
||
125 |
mozilla_projec ts_nss_nss_3_35_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. |
||
126 |
mozilla_projec ts_nss_nss_3_36_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. |
||
127 |
mozilla_projects _nss_nss_3_36_1_release_notes |
|
Network Security Services (NSS) 3.36.1 is a patch release for NSS 3.36. |
||
128 |
mozilla_projects _nss_nss_3_36_2_release_notes |
NSS, Release Notes |
Network Security Services (NSS) 3.36.2 is a patch release for NSS 3.36. |
||
129 |
mozilla_projects _nss_nss_3_36_4_release_notes |
NSS, Release Notes |
Network Security Services (NSS) 3.36.4 is a patch release for NSS 3.36. |
||
130 |
mozilla_projects _nss_nss_3_36_5_release_notes |
Mozilla, NSS, Release Notes |
Network Security Services (NSS) 3.36.5 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.5 are described in the “Bugs Fixed” section below. |
||
131 |
mozilla_projects _nss_nss_3_36_6_release_notes |
Mozilla, NSS, Release Notes |
Network Security Services (NSS) 3.36.6 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.6 are described in the “Bugs Fixed” section below. |
||
132 |
mozilla_projects _nss_nss_3_36_7_release_notes |
|
Network Security Services (NSS) 3.36.7 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.7 are described in the “Bugs Fixed” section below. It was released on 19 January 2019. |
||
133 |
mozilla_projects _nss_nss_3_36_8_release_notes |
|
Network Security Services (NSS) 3.36.8 is a patch release for NSS 3.36. The bug fixes in NSS 3.36.8 are described in the “Bugs Fixed” section below. It was released on 21 June 2019. |
||
134 |
mozilla_projec ts_nss_nss_3_37_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.37, which is a minor release. |
||
135 |
mozilla_projects _nss_nss_3_37_1_release_notes |
|
Network Security Services (NSS) 3.37.1 is a patch release for NSS 3.37. |
||
136 |
mozilla_project s_nss_nss_3_37_3release_notes |
|
Network Security Services (NSS) 3.37.3 is a patch release for NSS 3.37. |
||
137 |
mozilla_projec ts_nss_nss_3_38_release_notes |
Mozilla, NSS, Release Notes |
The NSS team has released Network Security Services (NSS) 3.38, which is a minor release. |
||
138 |
mozilla_projec ts_nss_nss_3_39_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.39, which is a minor release. |
||
139 |
mozilla_projec ts_nss_nss_3_40_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.40, which is a minor release. |
||
140 |
mozilla_projects _nss_nss_3_40_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.40.1, which is a patch release for NSS 3.40 |
||
141 |
mozilla_projec ts_nss_nss_3_41_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.41 on 7 December 2018, which is a minor release. |
||
142 |
mozilla_projects _nss_nss_3_41_1_release_notes |
|
Network Security Services (NSS) 3.41.1 is a patch release for NSS 3.41. The bug fixes in NSS 3.41.1 are described in the “Bugs Fixed” section below. It was released on 22 January 2019. |
||
143 |
mozilla_projec ts_nss_nss_3_42_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.42 on 25 January 2019, which is a minor release. |
||
144 |
mozilla_projects _nss_nss_3_42_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.42.1 on 31 January 2019, which is a patch release. |
||
145 |
mozilla_projec ts_nss_nss_3_43_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.43 on 16 March 2019, which is a minor release. |
||
146 |
mozilla_projec ts_nss_nss_3_44_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.44 on 10 May 2019, which is a minor release. |
||
147 |
mozilla_projects _nss_nss_3_44_1_release_notes |
|
Network Security Services (NSS) 3.44.1 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.1 are described in the “Bugs Fixed” section below. It was released on 21 June 2019. |
||
148 |
mozilla_projects _nss_nss_3_44_2_release_notes |
|
Network Security Services (NSS) 3.44.2 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.2 are described in the “Bugs Fixed” section below. It was released on 2 October 2019. |
||
149 |
mozilla_projects _nss_nss_3_44_3_release_notes |
|
Network Security Services (NSS) 3.44.3 is a patch release for NSS 3.44. The bug fixes in NSS 3.44.3 are described in the “Bugs Fixed” section below. It was released on 19 November 2019. |
||
150 |
mozilla_projects _nss_nss_3_44_4_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.44.4 on 19 May 2020. This is a security patch release. |
||
151 |
mozilla_projec ts_nss_nss_3_45_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, which is a minor release. |
||
152 |
mozilla_projec ts_nss_nss_3_46_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.46 on 30 August 2019, which is a minor release. |
||
153 |
mozilla_projects _nss_nss_3_46_1_release_notes |
|
Network Security Services (NSS) 3.46.1 is a patch release for NSS 3.46. The bug fixes in NSS 3.46.1 are described in the “Bugs Fixed” section below. It was released on 2 October 2019. |
||
154 |
mozilla_projec ts_nss_nss_3_47_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.47 on 18 October 2019, which is a minor release. |
||
155 |
mozilla_projects _nss_nss_3_47_1_release_notes |
|
Network Security Services (NSS) 3.47.1 is a patch release for NSS 3.47. The bug fixes in NSS 3.47.1 are described in the “Bugs Fixed” section below. It was released on 19 November 2019. |
||
156 |
mozilla_projec ts_nss_nss_3_48_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.48 on 5 December 2019, which is a minor release. |
||
157 |
mozilla_projects _nss_nss_3_48_1_release_notes |
|
Network Security Services (NSS) 3.48.1 is a patch release for NSS 3.48. The bug fixes in NSS 3.48.1 are described in the “Bugs Fixed” section below. It was released on 13 January 2020. |
||
158 |
mozilla_projec ts_nss_nss_3_49_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.49 on 3 January 2020, which is a minor release. |
||
159 |
mozilla_projects _nss_nss_3_49_1_release_notes |
|
Network Security Services (NSS) 3.49.1 is a patch release for NSS 3.49. The bug fixes in NSS 3.49.1 are described in the “Bugs Fixed” section below. It was released on 13 January 2020. |
||
160 |
mozilla_projects _nss_nss_3_49_2_release_notes |
|
Network Security Services (NSS) 3.49.2 is a patch release for NSS 3.49. The bug fixes in NSS 3.49.2 are described in the “Bugs Fixed” section below. It was released on 23 January 2020. |
||
161 |
mozilla_projec ts_nss_nss_3_50_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.50 on 7 February 2020, which is a minor release. |
||
162 |
mozilla_projec ts_nss_nss_3_51_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.51 on 6 March 2020, which is a minor release. |
||
163 |
mozilla_projects _nss_nss_3_51_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.51.1 on 3 April 2020. This is a minor release focusing on functional bug fixes and low-risk patches only. |
||
164 |
mozilla_projec ts_nss_nss_3_52_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.52 on 1 May 2020. |
||
165 |
mozilla_projects _nss_nss_3_52_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.52.1 on 19 May 2020. This is a security patch release. |
||
166 |
mozilla_projec ts_nss_nss_3_53_release_notes |
|
The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. |
||
167 |
mozilla_projects _nss_nss_3_53_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.53.1 on 16 June 2020. This is a security patch release. |
||
168 |
mozilla_projec ts_nss_nss_3_54_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.54 on 26 June 2020, which is a minor release. |
||
169 |
mozilla_projec ts_nss_nss_3_55_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.55 on 24 July 2020, which is a minor release. |
||
170 |
mozilla_projec ts_nss_nss_3_56_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.56 on 21 August 2020, which is a minor release. |
||
171 |
mozilla_projec ts_nss_nss_3_57_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.57 on 18 September 2020, which is a minor release. |
||
172 |
mozilla_projec ts_nss_nss_3_58_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.58 on 16 October 2020, which is a minor release. |
||
173 |
mozilla_projec ts_nss_nss_3_59_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.59 on 13 November 2020, which is a minor release. |
||
174 |
mozilla_projects _nss_nss_3_59_1_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.59.1 on 18 December 2020, which is a patch release for NSS 3.59. |
||
175 |
mozilla_projec ts_nss_nss_3_60_release_notes |
|
The NSS team has released Network Security Services (NSS) 3.60 on 11 December 2020, which is a minor release. |
||
176 |
mozilla_projects _nss_nss_3_60_1_release_notes |
|
The NSS team released Network Security Services (NSS) 3.60.1 on 4 January 2021, which is a patch release for NSS 3.60. |
||
177 |
mozilla_projec ts_nss_nss_3_61_release_notes |
|
The NSS team released Network Security Services (NSS) 3.61 on 22 January 2021, which is a minor release. |
||
178 |
mozilla_projec ts_nss_nss_3_62_release_notes |
|
The NSS team released Network Security Services (NSS) 3.62 on 19 February 2021, which is a minor release. |
||
179 |
mozilla_projec ts_nss_nss_3_63_release_notes |
|
Network Security Services (NSS) 3.63 was released on 18 March 2021. |
||
180 |
mozilla_projects _nss_nss_3_63_1_release_notes |
|
Network Security Services (NSS) 3.63.1 was released on 6 April 2021. |
||
181 |
mozilla_projec ts_nss_nss_3_64_release_notes |
|
Network Security Services (NSS) 3.64 was released on 15 April 2021. |
||
182 |
mozilla_pr ojects_nss_nss_api_guidelines |
|
Newsgroup: mozilla.dev.tech .crypto |
||
183 |
mozilla_pr ojects_nss_nss_config_options |
|
The specified ciphers will be allowed by policy, but an application may allow more by policy explicitly: |
||
184 |
mozilla_projec ts_nss_nss_developer_tutorial |
NSS, Tutorial |
Line length should not exceed 80 characters. |
||
185 |
mozilla_projects_n ss_nss_release_notes_template |
|
The NSS team has released Network Security Services (NSS) 3.XX, which is a minor release. or Network Security Services (NSS) 3.XX.y is a patch release for NSS 3.XX. The bug fixes in NSS 3.XX.y are described in the “Bugs Fixed” section below. |
||
186 |
mozi lla_projects_nss_nss_releases |
Landing, Mozilla, NSS, Networking, Project, Release Notes, Security |
The current Stable release of NSS is 3.64, which was released on 15 April 2021. (mozilla_project s_nss_nss_3_64_release_notes) |
||
187 |
mozilla _projects_nss_nss_sample_code |
Example |
The collection of sample code here demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. It also demonstrates some best practices in the application of cryptography. |
||
188 |
mozilla_projec ts_nss_nss_sample_code_enc_dec _mac_output_plblic_key_as_csr |
|
Generates encryption/mac keys and outputs public key as certificate signing request |
||
189 |
mozilla_projects_nss_ns s_sample_code_enc_dec_mac_usin g_key_wrap_certreq_pkcs10_csr |
|
Generates encryption/mac keys and outputs public key as pkcs11 certificate signing request |
||
190 |
mozilla_p rojects_nss_nss_sample_code_en crypt_decrypt_mac_using_token |
|
Generates encryption/mac keys and uses token for storing. |
||
191 |
mozilla_pr ojects_nss_nss_sample_code_nss _sample_code_sample_1_hashing |
Examples, NSS, Security |
This is an example program that demonstrates how to compute the hash of a file and save it to another file. This program illustrates the use of NSS message APIs. |
||
192 |
mozilla_projects_nss_nss _sample_code_nss_sample_code_s ample_2_initialization_of_nss |
Examples, NSS, Security |
This example program demonstrates how to initialize the NSS Database. This program illustrates password handling. |
||
193 |
:ref :mozilla_projects_nss_nss_sam ple_code_nss_sample_code_sampl e_3_basic_encryption_and_maci |
Examples, NSS, Security |
This example program demonstrates how to encrypt and MAC a file. |
||
194 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample1 |
|
This is an example program that demonstrates how to do key generation and transport between cooperating servers. This program shows the following: |
||
195 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample2 |
|
No summary! |
||
196 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample3 |
|
No summary! |
||
197 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample4 |
|
No summary! |
||
198 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample5 |
|
No summary! |
||
199 |
m ozilla_projects_nss_nss_sample _code_nss_sample_code_sample6 |
|
No summary! |
||
200 |
mozil la_projects_nss_nss_sample_cod e_nss_sample_code_utililies_1 |
Examples, NSS, Security |
This is a library of utilities used by many of the samples. This code shows the following: |
||
201 |
: ref:mozilla_projects_nss_nss_ sample_code_sample1_-_hashing |
HTML, Hashing Sample, JavaScript, NSS, Web Development, hashing |
The NSS same code below computes the hash of a file and saves it to another file, this illustrates the use of NSS message APIs. |
||
202 |
mozilla_project s_nss_nss_sample_code_sample1 |
Example, NSS |
1. A program to compute the hash of a file and save it to another file. |
||
203 |
mozilla_pro jects_nss_nss_sample_code_samp le2_-_initialize_nss_database |
HTML, JavaScript, NSS, NSS Article, NSS Initialization, Web Development |
The NSS sample code below demonstrates how to initialize the NSS database. |
||
204 |
mozilla_project s_nss_nss_sample_code_sample2 |
|
No summary! |
||
205 |
mozilla_projects _nss_nss_sample_code_sample3_- _encdecmac_using_token_object |
EncDeCMac, HTML, NCC, NCC Article, Web, Web Development |
Computes the hash of a file and saves it to another file, illustrates the use of NSS message APIs. |
||
206 |
moz illa_projects_nss_nss_sample_c ode_utiltiies_for_nss_samples |
|
These utility functions are adapted from those found in the sectool library used by the NSS security tools and other NSS test applications. |
||
207 |
mozilla_projects_nss _nss_sources_building_testing |
Build documentation, Guide, NSS, Security |
Getting the source code of Legacy documentation, how to build it, and how to run its test suite. |
||
208 |
mozill a_projects_nss_nss_tech_notes |
NSS |
Newsgroup: mozilla.dev.tech .crypto |
||
209 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note1 |
|
The main non-streaming APIs for these two decoders have an identical prototype : |
||
210 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note2 |
|
The logger displays all activity between NSS and a specified PKCS #11 module. It works by inserting a special set of entry points between NSS and the module. |
||
211 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note3 |
|
No summary! |
||
212 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note4 |
|
No summary! |
||
213 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note5 |
|
Note: AES encryption, a fixed blocksize of 16 bytes is used. The Rijndael algorithm permits 3 blocksizes (16, 24, 32 bytes), but the AES standard requires the blocksize to be 16 bytes. The keysize can vary and these keysizes are permitted: 16, 24, 32 bytes. You can also look at a sample program illustrating encryption |
||
214 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note6 |
|
The following applies to NSS 3.8 through 3.10 : |
||
215 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note7 |
|
This technical note explains how to use NSS to perform RSA signing and encryption. The industry standard for RSA signing and encryption is PKCS #1. NSS supports PKCS #1 v1.5. NSS doesn’t yet support PKCS #1 v2.0 and v2.1, in particular OAEP, but OAEP support is on our to-do li st. Your contribution is welcome. |
||
216 |
mozilla_projects_nss_ nss_tech_notes_nss_tech_note8 |
|
No summary! |
||
217 |
mozilla_proj ects_nss_nss_third-party_code |
NSS, Security, Third-Party Code |
This is a list of third-party code included in the NSS repository, broken into two lists: Code that can be compiled into the NSS libraries, and code that is only used for testing. |
||
218 |
mozilla_proje cts_nss_nss_tools_sslstrength |
|
2) sslstrength hostname[:port] [ciphers=xyz] [debug] [verbose] [policy=export|domestic] |
||
219 |
:ref:` mozilla_projects_nss_overview` |
NSS |
If you want to add support for SSL, S/MIME, or other Internet security standards to your application, you can use Network Security Services (NSS) to implement all your security features. NSS provides a complete open-source implementation of the crypto libraries used by AOL, Red Hat, Google, and other companies in a variety of products, including the following: |
||
220 |
mozilla_p rojects_nss_pkcs_12_functions |
NSS |
The public functions listed here perform PKCS #12 operations required by some of the NSS tools and other applications. |
||
221 |
mozilla_ projects_nss_pkcs_7_functions |
NSS |
The public functions listed here perform PKCS #7 operations required by mail and news applications and by some of the NSS tools. |
||
222 |
mozilla_ projects_nss_pkcs11_functions |
NSS |
This chapter describes the core PKCS #11 functions that an application needs for communicating with cryptographic modules. In particular, these functions are used for obtaining certificates, keys, and passwords. This was converted from “Chapter 7: PKCS #11 Functions”. |
||
223 |
mozilla_ projects_nss_pkcs11_implement |
|
NOTE: This document was originally for the Netscape Security Library that came with Netscape Communicator 4.0. This note will be removed once the document is updated for the current version of NSS. |
||
224 |
:ref :mozilla_projects_nss_pkcs11 |
NSS, Security |
PKCS #11 information for implementors of cryptographic modules: |
||
225 |
mo zilla_projects_nss_pkcs11_faq |
NSS, Security |
NSS searches all the installed PKCS #11 modules when looking for certificates. Once you’ve installed the module, the module’s certificates simply appear in the list of certificates displayed in the Certificate window. |
||
226 |
mozilla_projects_n ss_pkcs11_module_installation |
Authentication, Biometric, Mozilla, NSS, PKCS #11, Projects, Security, Smart Card, Smart-card, Smartcard, pkcs11 |
PKCS #11 modules are external modules which add to Firefox support for smartcard readers, biometric security devices, and external certificate stores. This article covers the two methods for installing PKCS #11 modules into Firefox. |
||
227 |
mozilla_pro jects_nss_pkcs11_module_specs |
NSS |
The following is a proposal to the PKCS #11 working group made in August 2001 for configuring PKCS #11 modules. NSS currently implements this proposal internally. |
||
228 |
mozilla_projec ts_nss_python_binding_for_nss |
|
python-nss is a Python binding for NSS (Network Security Services) and NSPR (Netscape Portable Runtime). NSS provides cryptography services supporting SSL, TLS, PKI, PKIX, X509, PKCS*, etc. NSS is an alternative to OpenSSL and used extensively by major software projects. NSS is FIPS-140 certified. |
||
229 |
m ozilla_projects_nss_reference |
NSS |
Based on mozilla_projec ts_nss_ssl_functions_sslintro in the SSL Reference. |
||
230 |
mozilla_projects_nss_referenc e_building_and_installing_nss |
NSS |
This chapter describes how to build and install NSS. |
||
231 |
mozilla_projects_n ss_reference_building_and_inst alling_nss_build_instructions |
NSS |
Numerous optional features of NSS builds are controlled through make variables. |
||
232 |
mozilla_projects_n ss_reference_building_and_inst alling_nss_installation_guide |
NSS |
The build system of NSS originated from Netscape’s build system, which predated the “configure; make; make test; make install” sequence that we’re familiar with now. Our makefiles also have an “install” target, but it has a different meaning: our “install” means installing the headers, libraries, and programs in the appropriate directories under mozilla/dist. |
||
233 |
mozilla_project s_nss_reference_building_and_i nstalling_nss_migration_to_hg |
|
The NSPR, NSS and related projects have stopped using Mozilla’a CVS server, but have migrated to Mozilla’s HG (Mercurial) server. Each project now lives in its own separate space, they can be found at:
//hg.mozilla.org/projects/jss/ https://hg.mo zilla.org/projects/python-nss/ |
||
234 |
:r ef:mozilla_projects_nss_refer ence_building_and_installing_n ss_sample_manual_installation |
NSS |
The NSS build system does not include a target to install header files and shared libraries in the system directories, so this needs to be done manually. |
||
235 |
mozilla_projects_ns s_reference_fc_cancelfunction |
NSS |
FC_CancelFunction - cancel a function running in parallel |
||
236 |
mozilla_projects_nss_ reference_fc_closeallsessions |
NSS |
FC_CloseAllSessions - close all sessions between an application and a token. |
||
237 |
mozilla_projects_ nss_reference_fc_closesession |
NSS |
FC_CloseSession - close a session opened between an application and a token. |
||
238 |
mozilla_project s_nss_reference_fc_copyobject |
NSS |
FC_CopyObject - create a copy of an object. |
||
239 |
mozilla_projects_ nss_reference_fc_createobject |
NSS |
FC_CreateObject - create a new object. |
||
240 |
mozilla_proj ects_nss_reference_fc_decrypt |
NSS |
FC_Decrypt - Decrypt a block of data. |
||
241 |
mozilla_projects_nss_ref erence_fc_decryptdigestupdate |
NSS |
FC_DecryptDigestUpdate - continue a multi-part decrypt and digest operation |
||
242 |
mozilla_projects_ nss_reference_fc_decryptfinal |
NSS |
FC_DecryptFinal - finish a multi-part decryption operation. |
||
243 |
mozilla_projects _nss_reference_fc_decryptinit |
NSS |
FC_DecryptInit - initialize a decryption operation. |
||
244 |
mozilla_projects_n ss_reference_fc_decryptupdate |
NSS |
FC_DecryptUpdate - decrypt a block of a multi-part encryption operation. |
||
245 |
mozilla_projects_nss_ref erence_fc_decryptverifyupdate |
NSS |
FC_DecryptVerifyUpdate - continue a multi-part decrypt and verify operation |
||
246 |
mozilla_projec ts_nss_reference_fc_derivekey |
NSS |
FC_DeriveKey - derive a key from a base key |
||
247 |
mozilla_projects_n ss_reference_fc_destroyobject |
NSS |
FC_DestroyObject - destroy an object. |
||
248 |
mozilla_pro jects_nss_reference_fc_digest |
NSS |
FC_Digest - digest a block of data. |
||
249 |
mozilla_projects_nss_ref erence_fc_digestencryptupdate |
NSS |
FC_DigestEncryptUpdate - continue a multi-part digest and encryption operation |
||
250 |
mozilla_projects _nss_reference_fc_digestfinal |
NSS |
FC_DigestFinal - finish a multi-part digest operation. |
||
251 |
mozilla_project s_nss_reference_fc_digestinit |
NSS |
FC_DigestInit - initialize a message-digest operation. |
||
252 |
mozilla_projec ts_nss_reference_fc_digestkey |
NSS |
FC_DigestKey - add the digest of a key to a multi-part digest operation. |
||
253 |
mozilla_projects_ nss_reference_fc_digestupdate |
NSS |
FC_DigestUpdate - process the next block of a multi-part digest operation. |
||
254 |
mozilla_proj ects_nss_reference_fc_encrypt |
NSS |
FC_Encrypt - Encrypt a block of data. |
||
255 |
mozilla_projects_ nss_reference_fc_encryptfinal |
NSS |
FC_EncryptFinal - finish a multi-part encryption operation. |
||
256 |
mozilla_projects _nss_reference_fc_encryptinit |
NSS |
FC_EncryptInit - initialize an encryption operation. |
||
257 |
mozilla_projects_n ss_reference_fc_encryptupdate |
NSS |
FC_EncryptUpdate - encrypt a block of a multi-part encryption operation. |
||
258 |
mozilla_proje cts_nss_reference_fc_finalize |
NSS |
FC_Finalize - indicate that an application is done with the PKCS #11 library. |
||
259 |
mozilla_projects _nss_reference_fc_findobjects |
NSS |
FC_FindObjects - Search for one or more objects |
||
260 |
mozilla_projects_nss_ reference_fc_findobjectsfinal |
NSS |
FC_FindObjectsFinal - terminate an object search. |
||
261 |
mozilla_projects_nss _reference_fc_findobjectsinit |
NSS |
FC_FindObjectsInit - initialize the parameters for an object search. |
||
262 |
mozilla_projects _nss_reference_fc_generatekey |
NSS |
FC_GenerateKey - generate a new key |
||
263 |
mozilla_projects_nss _reference_fc_generatekeypair |
NSS |
FC_GenerateKeyPair - generate a new public/private key pair |
||
264 |
mozilla_projects_ns s_reference_fc_generaterandom |
NSS |
FC_GenerateRandom - generate a random number. |
||
265 |
mozilla_projects_nss_r eference_fc_getattributevalue |
NSS |
FC_GetAttributeValue - get the value of attributes of an object. |
||
266 |
mozilla_projects_nss _reference_fc_getfunctionlist |
NSS |
FC_GetFunctionList - get a pointer to the list of function pointers in the FIPS mode of operation. |
||
267 |
mozilla_projects_nss_r eference_fc_getfunctionstatus |
NSS |
FC_GetFunctionStatus - get the status of a function running in parallel |
||
268 |
mozilla_proj ects_nss_reference_fc_getinfo |
NSS |
FC_GetInfo - return general information about the PKCS #11 library. |
||
269 |
mozilla_projects_nss_ reference_fc_getmechanisminfo |
NSS |
FC_GetMechanismInfo - get information on a particular mechanism. |
||
270 |
mozilla_projects_nss_ reference_fc_getmechanismlist |
NSS |
FC_GetMechanismList - get a list of mechanism types supported by a token. |
||
271 |
mozilla_projects_n ss_reference_fc_getobjectsize |
NSS |
FC_GetObjectSize - create a copy of an object. |
||
272 |
mozilla_projects_nss_r eference_fc_getoperationstate |
NSS |
FC_GetOperationState - get the cryptographic operation state of a session. |
||
273 |
mozilla_projects_ns s_reference_fc_getsessioninfo |
NSS |
FC_GetSessionInfo - obtain information about a session. |
||
274 |
mozilla_projects _nss_reference_fc_getslotinfo |
NSS |
FC_GetSlotInfo - get information about a particular slot in the system. |
||
275 |
mozilla_projects _nss_reference_fc_getslotlist |
NSS |
FC_GetSlotList - Obtain a list of slots in the system. |
||
276 |
mozilla_projects_ nss_reference_fc_gettokeninfo |
NSS |
FC_GetTokenInfo - obtain information about a particular token in the system. |
||
277 |
mozilla_project s_nss_reference_fc_initialize |
NSS |
FC_Initialize - initialize the PKCS #11 library. |
||
278 |
mozilla_proj ects_nss_reference_fc_initpin |
NSS |
|
||
279 |
mozilla_projec ts_nss_reference_fc_inittoken |
NSS |
|
||
280 |
mozilla_pr ojects_nss_reference_fc_login |
NSS |
|
||
281 |
mozilla_pro jects_nss_reference_fc_logout |
NSS |
FC_Logout - log a user out from a token. |
||
282 |
mozilla_projects _nss_reference_fc_opensession |
NSS |
FC_OpenSession - open a session between an application and a token. |
||
283 |
mozilla_project s_nss_reference_fc_seedrandom |
NSS |
|
||
284 |
mozilla_projects_nss_r eference_fc_setattributevalue |
NSS |
FC_SetAttributeValue - set the values of attributes of an object. |
||
285 |
mozilla_projects_nss_r eference_fc_setoperationstate |
NSS |
FC_SetOperationState - restore the cryptographic operation state of a session. |
||
286 |
mozilla_pro jects_nss_reference_fc_setpin |
NSS |
FC_SetPIN - Modify the user’s PIN. |
||
287 |
mozilla_p rojects_nss_reference_fc_sign |
NSS |
FC_Sign - sign a block of data. |
||
288 |
mozilla_projects_nss_r eference_fc_signencryptupdate |
NSS |
FC_SignEncryptUpdate - continue a multi-part signing and encryption operation |
||
289 |
mozilla_projec ts_nss_reference_fc_signfinal |
NSS |
FC_SignFinal - finish a multi-part signing operation. |
||
290 |
mozilla_proje cts_nss_reference_fc_signinit |
NSS |
FC_SignInit - initialize a signing operation. |
||
291 |
mozilla_projects _nss_reference_fc_signrecover |
NSS |
FC_SignRecover - Sign data in a single recoverable operation. |
||
292 |
mozilla_projects_nss _reference_fc_signrecoverinit |
NSS |
FC_SignRecoverInit - initialize a sign recover operation. |
||
293 |
mozilla_project s_nss_reference_fc_signupdate |
NSS |
FC_SignUpdate - process the next block of a multi-part signing operation. |
||
294 |
mozilla_projec ts_nss_reference_fc_unwrapkey |
NSS |
FC_UnwrapKey - unwrap a key |
||
295 |
mozilla_pro jects_nss_reference_fc_verify |
NSS |
FC_Verify - sign a block of data. |
||
296 |
mozilla_projects _nss_reference_fc_verifyfinal |
NSS |
FC_VerifyFinal - finish a multi-part verify operation. |
||
297 |
mozilla_project s_nss_reference_fc_verifyinit |
NSS |
FC_VerifyInit - initialize a verification operation. |
||
298 |
mozilla_projects_n ss_reference_fc_verifyrecover |
NSS |
FC_VerifyRecover - Verify data in a single recoverable operation. |
||
299 |
mozilla_projects_nss_r eference_fc_verifyrecoverinit |
NSS |
FC_VerifyRecoverInit - initialize a verification operation where data is recoverable. |
||
300 |
mozilla_projects_ nss_reference_fc_verifyupdate |
NSS |
FC_VerifyUpdate - process the next block of a multi-part verify operation. |
||
301 |
mozilla_projects_nss_ reference_fc_waitforslotevent |
NSS |
FC_WaitForSlotEvent - waits for a slot event, such as token insertion or token removal, to occur. |
||
302 |
mozilla_proj ects_nss_reference_fc_wrapkey |
NSS |
FC_WrapKey - wrap a key |
||
303 |
mozilla_project s_nss_reference_nsc_inittoken |
NSS |
|
||
304 |
mozilla_pro jects_nss_reference_nsc_login |
NSS |
|
||
305 |
mozilla_projects _nss_reference_nspr_functions |
|
NSPR is a platform abstraction library that provides a cross-platform API to common OS services. NSS uses NSPR internally as the porting layer. However, a small number of NSPR functions are required for using the certificate verification and SSL functions in NSS. These NSPR functions are listed in this section. |
||
306 |
:re f:mozilla_projects_nss_refere nce_nss_certificate_functions |
NSS |
This chapter describes the functions and related types used to work with a certificate database such as the cert8.db database provided with NSS. This was converted from “Chapter 5: Certificate Functions”. |
||
307 |
:r ef:mozilla_projects_nss_refer ence_nss_cryptographic_module |
NSS |
This chapter describes the data types and functions that one can use to perform cryptographic operations with the NSS cryptographic module. The NSS cryptographic module uses the industry standard PKCS #11 v2.20 as its API with some extensions. Therefore, an application that supports PKCS #11 cryptographic tokens can be easily modified to use the NSS cryptographic module. |
||
308 |
mozilla_projects_ns s_reference_nss_cryptographic_ module_fips_mode_of_operation |
NSS |
These functions manage certificates and keys. |
||
309 |
:re f:mozilla_projects_nss_refere nce_nss_environment_variables |
NSS |
These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below. |
||
310 |
mozilla_project s_nss_reference_nss_functions |
NSS |
This page lists all exported functions in NSS 3.11.7 It was ported from here. |
||
311 |
mozilla_projects _nss_reference_nss_initialize |
|
NSS_Initialize - initialize NSS. |
||
312 |
mozilla_projects_ns s_reference_nss_key_functions |
NSS |
This chapter describes two functions used to manipulate private keys and key databases such as the key3.db database provided with NSS. This was converted from “Chapter 6: Key Functions”. |
||
313 |
mozilla_projects_nss_r eference_nss_tools_:_certutil |
|
certificate in both NSS databases and other NSS tokens Synopsis
[[arguments]] Description
Tool, certutil, is a command-line utility
generate, modify, or delete certificates, create or
generate new public and private key pairs,
key database, or delete key pairs within the key database.
of the key and certificate management process, requires that
created in the key database. This document discusses certificate
management. For information on the security module database management,
requires one and only one command option to
certificate operation. Each option may take arguments,
multiple arguments. The command option -H will list
available and their relevant arguments.
certificate to a certificate database.
database should already exist; if one is
command option will initialize one by default.
commands from the specified batch file.
file. Use the -i argument to specify
request file. If this argument is not
from the certificate database. |
||
314 |
mozilla_projects_nss_ reference_nss_tools_:_cmsutil |
|
Name |
||
315 |
mozilla_projects_nss_ reference_nss_tools_:_crlutil |
Reference |
Name |
||
316 |
mozilla_projects_nss_ reference_nss_tools_:_modutil |
Mozilla, NSS, Reference, Security, Tools, Utilities, modutil |
Name |
||
317 |
mozilla_projects_nss_r eference_nss_tools_:_pk12util |
|
NSS tools : pk12util |
||
318 |
mozilla_projects_nss _reference_nss_tools_:_ssltab |
|
Name |
||
319 |
mozilla_projects_nss _reference_nss_tools_:_ssltap |
|
Name |
||
320 |
mozilla_projects_nss_r eference_nss_tools_:_vfychain |
|
Name |
||
321 |
mozilla_projects_nss_ reference_nss_tools_:_vfyserv |
|
Name |
||
322 |
mozilla_pro jects_nss_reference_nss_tools |
|
certutil mozilla_projects_nss_r eference_nss_tools_:_certutil |
||
323 |
mozilla_projec ts_nss_reference_troubleshoot |
|
Newsgroup: mozilla.dev.tech .crypto |
||
324 |
mozil la_projects_nss_release_notes |
|
This page lists release notes for older versions of NSS. See mozi lla_projects_nss_nss_releases mozi lla_projects_nss_nss_releases for recent release notes. The links below are provided for historical information. |
||
325 |
mozilla_ projects_nss_s_mime_functions |
NSS |
The public functions listed here perform S/MIME operations using the S/MIME Toolkit. |
||
326 |
mozil la_projects_nss_ssl_functions |
NSS |
The public functions listed here are used to configure sockets for communication via the SSL and TLS protocols. In addition to the functions listed here, applications that support SSL use some of the Certificate functions, Crypto functions, and Utility functions described below on this page. |
||
327 |
mozilla_pro jects_nss_ssl_functions_gtstd |
|
This chapter describes how to set up your environment, including certificate and key databases. |
||
328 |
mozilla_projects_nss_ss l_functions_old_ssl_reference |
NSS |
New sgroup:mozilla.dev.tech.cr ypto* Writer: Sean Cotter Manager: Wan-Teh Chang* |
||
329 |
mozilla_pro jects_nss_ssl_functions_pkfnc |
|
330 |
mozilla_proj ects_nss_ssl_functions_sslcrt |
|
331 |
mozilla_proj ects_nss_ssl_functions_sslerr |
|
332 |
mozilla_proj ects_nss_ssl_functions_sslfnc |
|
333 |
mozilla_projec ts_nss_ssl_functions_sslintro |
|
SSL and related APIs allow compliant applications to configure sockets for authenticated, tamper-proof, and encrypted communications. This chapter introduces some of the basic SSL functions. Chapter 2, “Getting Started With SSL” illustrates their use in sample client and server applications. |
||
334 |
mozilla_proj ects_nss_ssl_functions_sslkey |
|
335 |
mozilla_proj ects_nss_ssl_functions_ssltyp |
|
336 |
mozilla_projects_n ss_tls_cipher_suite_discovery |
NSS |
In order to communicate securely, an TLS client and TLS server must agree on the cryptographic algorithms and keys that they will both use on the secured connection. They must agree on these items: |
||
337 |
:re f:mozilla_projects_nss_tools |
NSS |
Newsgroup: mozilla.dev.tech .crypto |
||
338 |
mozill a_projects_nss_tools_certutil |
|
certificate in the NSS database. Synopsis
arguments Description
Tool, certutil, is a command-line utility that
certificate and key database files. It can also
delete certificates within the database, create
generate new public and private key pairs, display
database, or delete key pairs within the key
management process generally begins with creating
then generating and managing certificates in the
document discusses certificate and key database
security module database management, see the
requires one (and only one) option to specify the
operation. Each option may take arguments, anywhere
arguments. Run the command option and -H to see the
certificate to a certificate database. The
database should already exist; if one is not present,
commands from the specified batch file. This
certificate file from a binary certificate
the -i argument to specify the certificate
this argument is not used, certutil prompts for a
certificate from the certificate database.
certificate to the certificate database.
key from a key database. Specify the key to
argument. Specify the database from which to
the -d argument. Use the -k argument to
whether to delete a DSA, RSA, or ECC key. If
-k argument, the option looks for an RSA key
keys, be sure to also remove any certificates
those keys from the certificate database, by using
cards (for example, the Litronic card) do not let
key you have generated. In such a case, only
deleted from the key pair. You can display the
command certutil -K -h tokenname.
public and private key pair within a key database.
should already exist; if one is not present, this
initialize one by default. Some smart cards (for
Litronic card) can store only one key pair. If you
pair for such a card, the previous pair is
the options and arguments used by the
keys in the key database. A key ID is the
key or the publicValue of the DSA key. IDs are
hexadecimal (“0x” is not shown).
certificates, or display information about a named
certificate database. Use the -h tokenname
the certificate database on a particular
certificate’s trust attributes using the values of the -t
certificate request file that can be submitted to a
Authority (CA) for processing into a finished
defaults to standard out unless you use -o
argument. Use the -a argument to specify ASCII output.
individual certificate and add it to a certificate
modules or print a single named module.
of a certificate and its attributes.
database into the target database. This is used to
databases (cert8.db and key3.db) into the newer
database and merge it into a new database. This is
legacy NSS databases (cert8.db and key3.db) into
databases (cert9.db and key4.db).
allow the use of ASCII format for input or
formatting follows RFC 1113. For certificate
output defaults to standard output unless
which a certificate is required to be valid. Use
certificate validity with the -V option. The format
validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z],
offsets to be set relative to the validity end time.
(SS) is optional. When specifying an explicit
the end of the term, YYMMDDHHMMSSZ, to close it.
offset time, use YYMMDDHHMMSS+HHMM or
for adding or subtracting time, respectively.
not used, the validity check defaults to the
certificate of the CA from which a new certificate
authenticity. Use the exact nickname or alias of
or use the CA’s email address. Bracket the
quotation marks if it contains spaces.
database directory containing the certificate and key
two types of databases: the legacy security
(cert8.db, key3.db, and secmod.db) and new SQLite
(cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
the tool assumes that the given databases are in
certificate’s signature during the process of validating a
will automatically supply the password to
certificate or to access a certificate database. This
file containing one password. Be sure to prevent
use when generating new public and private key
is 512 bits and the maximum is 8192 bits. The
bits. Any size between the minimum and maximum is
a token to use or act on. Unless specified
default token is an internal slot (specifically,
This slot can also be explicitly named with the
An internal slots is a virtual slot maintained
than a hardware device. Internal slot 2 is
certificate services. Internal slot 1 is used by
to the command. Depending on the command
file can be a specific certificate, a certificate
a key. The valid options are RSA, DSA, ECC, or
value is rsa. Specifying the type of key can
specific ID of a key. Giving a key type
pair; giving the ID of an existing key reuses
(which is required to renew certificates).
information when validating a certificate with
serial number to a certificate being created. This
performed by a CA. The default serial number
numbers are limited to integers.
nickname of a certificate or key to list, create, add
modify, or validate. Bracket the nickname string
file name for new certificates or binary
requests. Bracket the output-file string with
it contains spaces. If this argument is not
destination defaults to standard output.
used on the certificate and key database file.
provided as a special case. Changing the names of
key databases is not recommended.
telephone number to include in new certificates
requests. Bracket this string with quotation marks
PQG value from the specified file when
pairs. If this argument is not used, certutil
PQG value. PQG files are created with a separate
curve name to use when generating ECC key pairs.
ECC curves is given in the help (-H).
certificate’s binary DER encoding when listing
that certificate with the -L option.
particular certificate owner for new certificates or
requests. Bracket this string with quotation marks if
The subject identification format follows RFC
attributes to modify in an existing certificate
certificate when creating it or adding it to a
three available trust categories for each
expressed in the order SSL, email, object signing for
In each category position, use none, any, or
to issue client certificates (implies c)
to issue server certificates (SSL only)
Certificate can be used for authentication or signing
warning (use with other attributes to include a
the certificate is used in that context)
for the categories are separated by commas,
of attributes enclosed by quotation marks. For
to see a list of the current certificates and
context to apply when validating a certificate
months a new certificate will be valid. The
begins at the current system time unless an offset
subtracted with the -w option. If this argument is not
validity period is three months. When this
the default three-month period is automatically
given in the valid-month argument. For example,
to set a value of 3 would cause 3 to be added to
default, creating a validity period of six months.
negative values to reduce the default period. For
value of -2 would subtract 2 from the default
the current system time, in months, for the
certificate’s validity period. Use when creating
adding it to a database. Express the offset in
minus sign (-) to indicate a negative offset. If
not used, the validity period begins at the
time. The length of the validity period is set with
certificate database to open in read-write mode.
generate the signature for a certificate being
a database, rather than obtaining a signature
exponent value to use in generating a new RSA
database, instead of the default value of
available alternate values are 3 and 17.
from the specified file to generate a new
key pair. This argument makes it possible to
hardware-generated seed values or manually create a value from
Certificate Type Extension in the certificate.
o keyEncipherment
constraint extension to a certificate that is being
a database. This extension supports the
verification process. certutil prompts for the
constraint extension to select.
extensions are described in RFC 5280.
key ID extension to a certificate that is being
a database. This extension supports the
particular certificate, from among multiple
associated with one subject name, as the correct
certificate. The Certificate Database Tool will prompt
extensions are described in RFC 5280.
distribution point extension to a certificate that is
added to a database. This extension identifies
certificate’s associated certificate revocation list
extensions are described in RFC 5280.
certificate type extension to a certificate that is
added to the database. There are several
extensions are described in RFC 5280.
usage extension to a certificate that is being
the database. Several keywords are available:
extensions are described in RFC 5280.
comma-separated list of email addresses to the subject
extension of a certificate or certificate request
created or added to the database. Subject
extensions are described in Section 4.2.1.7 of
comma-separated list of DNS names to the subject alternative
certificate or certificate request that is
added to the database. Subject alternative name
described in Section 4.2.1.7 of RFC 3280.
Information Access extension to the certificate.
extensions are described in RFC 5280.
Information Access extension to the certificate.
extensions are described in RFC 5280.
Policies extension to the certificate. X.509
extensions are described in RFC 5280.
Mappings extension to the certificate. X.509
extensions are described in RFC 5280.
Constraints extension to the certificate. X.509
extensions are described in RFC 5280.
Policy Access extension to the certificate.
extensions are described in RFC 5280.
ID extension to the certificate. X.509
extensions are described in RFC 5280.
certificate database directory to upgrade.
the certificate and key databases to upgrade.
token to use while it is being upgraded.
password file to use for the database being
in the examples listed here have more
arguments included in these examples are the most
illustrate a specific scenario. Use the -H
list of arguments for each command option.
security modules related to managing certificates
created before certificates or keys can be
contains most or all of the information that is used
certificate. This request is submitted separately to
is then approved by some mechanism
review). Once the request is approved, then the
key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a]
the key type to generate or, when renewing a
can be output in ASCII format (-a) or can be
nistb409 -g 512 -s “CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US” -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer
IDCBywIBADBmMQswCQYDVQQGEwJVUz ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
A1UEBxMNTW91bnRhaW4gVmlldzEVMB MGA1UEChMMRXhhbXBsZSBDb3JwMRMw
VQQDEwpKb2huIFNtaXRoMFwwDQYJKo ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ
Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio QOKvEjXyQZhit9aThzBVMoSf1Y1S8J
bCg1+IbnXaECAwEAAaAAMA0GCSqGSI b3DQEBBQUAA0EAryqZvpYrUtQ486Ny
QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB
issued by a trusted CA. This can be done by
(-c) that is stored in the certificate
is not available, you can create a self-signed
argument with the -S command option.
-n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [–extAIA] [–extSIA] [–extCP] [–extPM] [–extPC] [–extIA] [–extSKID]
–ext* options set certificate extensions that
certificate when it is generated by the CA.
CA” -n my-ca-cert -x -t “C,C,C” -1 -2 -5 -m 3650
certificates can reference the self-signed certificate:
Server Cert” -n my-server-cert -c “my-ca-cert” -t “u,u,u” -1 -5 -6 -8 -m 730
is created, a certificate can be generated by
referencing a certificate authority signing
specified in the -c argument). The issuing
certificate database in the specified
cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]
-i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 n onRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com
automatically with a certificate request or
also be generated independently using the -G
[sql:]directory | -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name
all of the certificates listed in the
path to the directory (-d) is required.
Nickname Trust Attributes
pki-ca1’s Example Domain ID u,u,u
Domain ID u,u,u
Authority
Example Domain CT,C,C
with -L can return and print the information
certificate. For example, the -n argument passes
the -a argument prints the certificate in
sql:/home/my/sharednssdb -a -n “Certificate Authority - Example Domain”
mTCCAoGgAwIBAgIBATANBgkqhkiG9w 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt
IERvbWFpbjEeMBwGA1UEAxMVQ2VydG lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw
OTIxNTY1OFoXDTEyMDQxODIxNTY1OF owOTEXMBUGA1UEChMORXhhbXBsZSBE
aW4xHjAcBgNVBAMTFUNlcnRpZmljYX RlIEF1dGhvcml0eTCCASIwDQYJKoZI
AQEBBQADggEPADCCAQoCggEBAO/bqU li2KwqXFKmMMG93KN1SANzNTXA/Vlf
h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ p4PUCMqL4ZrSGt901qxkePyZ2dYmM2
K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI
noPSUn70gLhcj/lvxl7K9BHyD4Sq5C zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2
RMfloGqsxGuB1evWVDF1haGpFDSPgM nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb
HKbu80zGllLEt2Zx/WDIrgJEN9yMfg KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB
BgNVHSMEGDAWgBQATgxHQyRUfKIZtd p55bZlFr+tFzAPBgNVHRMBAf8EBTAD
MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/
RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ UFBzABhilodHRwOi8vbG9jYWxob3N0
Y2FsZG9tYWluOjkxODAvY2Evb2NzcD ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk
43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 KROLWeKVZZZa2E2Hnsvf2uXbk5amKe
SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm nqkc6t0hhYb1mw/gx8OAAoluQx3biX
jI73Cf7XUopplHBjjiwyGIJUO8BEZJ 5L+TF4P38MJz1snLtzZpEAX5bl0U76
tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 M01kGozW4mmbvsj1cRB9HnsGsqyHCu
lL1H/RWcjn607+CTeKH9jLMUqCIqPJ NOa+kq/6F7NhNRRiuzASIbZc30BZ5a
material used to encrypt certificate data. The keys
are stored separately, in the key database.
database, use the -K command option and the
give the path to the directory.
Certificate DB” in slot “NSS User Private Key and Certificate Services “
455a6673bde9 375c2887ec8bf8016b3f9f35861d Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID
40defeeb522a de11090eacebaaf1196a172127df Example Domain Administrator Cert
1d0b06f44f6c 03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert
the keys listed in the search results:
key, use the -n name argument with the name of
security devices loaded, then the -h tokenname
key types available, then the -k key-type
specific type of key, like RSA, DSA, or ECC.
used to store certificates – both internal
devices like smart cards – are recognized and used
modules. The -U command option lists all of the
the secmod.db database. The path to the
certificate requests can be added manually to the
if they were generated elsewhere. This uses the
trustargs -d [sql:]directory [-a] [-i input-file]
Certificate” -t “u,u,u” -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer
-E, is used specifically to add email
certificate database. The -E command has the same
command. The trust arguments for certificates have the
SSL,S/MIME,Code-signing, so the middle trust settings relate most
(though the others can be set). For example:
Smith Email Cert” -t “,Pu,” -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer
from a database using the -D option. The only
give the security database directory and to
sql:/home/my/sharednssdb -n “my-ssl-cert”
expiration date in itself, and expired
rejected. However, certificates can also be
their expiration date. Checking whether a
revoked requires validating the certificate.
to ensure that the certificate is only used
initially issued for. Validation is carried out by
certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory
Smith’s Email Cert” -e -u S,R -d sql:/home/my/sharednssdb
relate to the operations that a certificate is
be changed after a certificate is created or
is especially useful for CA certificates, but
certificate-name -t trust-args -d [sql:]directory
Certificate” -d sql:/home/my/sharednssdb -t “CTu,CTu,CTu”
in chains because every certificate authority
when a CA issues a certificate, it essentially
with its own fingerprint. The -O prints the full
going from the initial CA (the root CA) through
actual certificate. For example, for an email
sql:/home/my/sharednssdb -O -n “jsmith@example.com”
Personal Freemail CA” [E=personal -freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
Issuing CA - Thawte Consulting” [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
[ E=jsmith@example.com,CN=Thawte Freemail Member]
certificates – both external hardware devices and
– can be blanked and reused. This operation
which stores the data, not directly on the
location must be referenced through the token
directory path. If there is no external token
[sql:]directory -h token-name -0 security-officer-password
dedicated personnel who handle changes to security
officer). This person must supply the password to
sql:/home/my/sharednssdb -h nethsm -0 secret
applications may be using older BerkeleyDB versions of
(cert8.db). Databases can be upgraded to the new
database (cert9.db) using the –upgrade-merge
databases can be merged with the new cert9.db
must give information about the original
standard arguments (like -d) to give the
databases. The command also requires information
process to upgrade and write over the original
[sql:]directory [-P dbprefix] –source-dir directory –source-prefix dbprefix –upgrade-id id –upgrade-token-name name [-@ password-file]
sql:/home/my/sharednssdb –source-dir /opt/my-app/alias/ –source-prefix serverapp- –upgrade-id 1 –upgrade-token-name internal
requires information about the location of the
doesn’t change the format of the database, it
without performing interim step.
[sql:]directory [-P dbprefix] –source-dir directory –source-prefix dbprefix [-@ password-file]
sql:/home/my/sharednssdb –source-dir /opt/my-app/alias/ –source-prefix serverapp-
run sequentially from a text file with the -B
argument for this specifies the input file.
/path/to/batch-file NSS Database Types
BerkeleyDB databases to store security information.
limitations, though, which prevent it from
multiple applications simultaneously. NSS has some
applications to use their own, independent
keeping a shared database and working around the
requires more flexibility to provide a truly
new set of databases that are SQLite databases
These new databases provide more accessibility and
listing of all of the PKCS #11 modules contained
in the security databases directory
databases are designed to be shared, these are the
shared database type is preferred; the legacy
(certutil, pk12util, modutil) assume that the given
the more common legacy type. Using the SQLite
specified by using the sql: prefix with the
type as the default type for the tools, set the
to the ~/.bashrc file to make the change
use the shared database by default, but they can
For example, this how-to article covers how to
Thunderbird to use the new shared NSS databases: o https://wiki.m ozilla.org/NSS_Shared_DB_Howto
the changes in the shared NSS databases, see
o https:// wiki.mozilla.org/NSS_Shared_DB See Also
operations that use features defined in several
o http://tools.ietf.org/htm l/rfc5280 o http://tools.ietf.org/htm l/rfc1113 o http://tools.ietf.org/htm l/rfc1485
information on the new database design and how to
use it. o https://wiki.m ozilla.org/NSS_Shared_DB_Howto o https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources
and other tools related to NSS (like JSS), check
[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
|
||
339 |
mozil la_projects_nss_tools_cmsutil |
|
cryptograpic operations, such as encryption and
Cryptographic Message Syntax (CMS) messages. Synopsis
arguments Description
uses the S/MIME Toolkit to perform basic
encryption and decryption, on Cryptographic Message
command cmsutil option [arguments] where option
combinations of the options and arguments listed in the
command takes one option. Each option may take
see a usage string, issue the command without
Option arguments modify an action. The options
cmsutil command are defined as follows:
key/certificate database directory (default is “.”)
containing an enveloped message for a set of
you would like to send an encrypted message.
first encrypted message for that set of recipients,
message will be created that you can then use for
headers with info about CMS message (decode only).
source of data (default is stdin).
certificate to sign with (sign only).
destination of data (default is stdout).
recipients (email addresses) for an encrypted or
For certificates-only message, list of
usage (default is certUsageEmailSigner).
encryption key preference by nickname. Usage
outfile] [-d dbdir] [-p password] -r “recipient1,recipient2, …” -e envfile
outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
outfile] [-d dbdir] [-p password] -r “recipient1,recipient2, …”
outfile] [-d dbdir] [-p password] -r “cert1,cert2, . . .”
outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] See also
See Also Additional Resources
conjunction with PKI and security-related projects
The most closely-related project is Dogtag PKI,
[1]http: //pki.fedoraproject.org/wiki/.
specifically about NSS, the NSS project wiki is located at [2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
pki-devel@redhat.com and pki-users@redhat.com
#dogtag-pki Authors
and maintained by developers with Netscape and
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
http ://pki.fedoraproject.org/wiki/ |
||
340 |
mozil la_projects_nss_tools_crlutil |
|
modify, or delete CRLs within the NSS security
create, modify or delete certificates entries
arguments Description
List (CRL) Management Tool, crlutil, is a
can list, generate, modify, or delete CRLs
database file(s) and list, create, modify or
management process generally begins with creating
then generating and managing certificates in the
certutil tool) and continues with certificates
certificate revocation list management. For
module database management, see Using the Security
information on certificate and key database
Revocation List Management Tool, type the command
are combinations of the options and arguments
section. Each command takes one option. Each
more arguments. To see a usage string, issue the
with the -H option. Options and Arguments
Option arguments modify an action. The options
crlutil command are defined as follows:
Certificate Revocation List(CRL).
Revocation List from cert database.
specified type from the cert database
which can be located in cert db or in
located in file it should be encoded in ASN.1
used on the NSS security database files (for
my_cert8.db and my_key3.db). This option is provided as a
Changing the names of the certificate and key
allow the use of ASCII format for input and
that will be used to control crl generation/modification. See crl-cript-file format below. If
used and -c crl-script-file is not specified,
script data from standard input.
database directory containing the certificate and key
Unix the Certificate Database Tool defaults to
(that is, ~/.netscape). On Windows NT the default
files must reside in the same directory.
which contains the CRL to import
will automatically supply the password to
certificate or to access a certificate database. This
file containing one password. Be sure to prevent
signature algorithm. List of possible
MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
nickname of a certificate or key to list, create, add
modify, or validate. Bracket the nickname string
file name for new CRL. Bracket the output-file
quotation marks if it contains spaces. If this
used the output destination defaults to standard
CRL. possible types are: 0 - SEC_KRL_TYPE, 1 -
should have # as a first symbol of a line
optional. Time should be in GeneralizedTime format
CRL or a crl certificate entry:
critical/non-critical [arg1[arg2 …]]
value of a name of known extensions.
when extension is critical and 0 otherwise.
extension type extension parameters
was set earlier by addcert and will install an
separated by dash: range of certificates that
command. dash is used as a delimiter. Only one cert
no delimiter. date: revocation date of a cert.
in GeneralizedTime format (YYYYMMDDhhmmssZ).
separated by dash: range of certificates that
command. dash is used as a delimiter. Only one cert
values separated by dash: range of certificates
command. dash is used as a delimiter. Only one
CRL provide methods for associating additional
theirs entries. For more information see RFC #3280
identifier extension provides a means of identifying the
the private key used to sign a CRL.
the name of an extension critical: value of 1 of
this extension is critical or 0 otherwise.
represented in octet string. dn:: is a CA
cert-serial: authority certificate serial number.
names extension allows additional identities to be
of the CRL. Defined options include an rfc822
address), a DNS name, an IP address, and a URI.
the name of an extension should be set to 0 since
extension name-list: comma separated list of names
non-critical CRL extension which conveys a
sequence number for a given CRL scope and CRL
allows users to easily determine when a particular
name of an extension critical: should be set to
non-critical extension number: value of long which
non-critical CRL entry extension that identifies the
name of an extension non-critical: should be
non-critical extension code: the following codes
keyCompromise (1), cACompromise (2), affiliationChanged
cessationOfOperation (5), certificateHold (6),
privilegeWithdrawn (9), aACompromise (10)
non-critical CRL entry extension that provides
known or suspected that the private key was
certificate otherwise became invalid.
name of an extension non-critical: should be set
non-critical extension date: invalidity date of a cert.
in GeneralizedTime format (YYYYMMDDhhmmssZ). Usage
List Management Tool’s capabilities are grouped
combinations of options and arguments. Options and
brackets are optional, those without square brackets
extensions” for more information regarding extensions and
-n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]
nickname [-d keydir] [-P dbprefix]
nickname [-d keydir] [-P dbprefix]
[-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] See also
See Also Additional Resources
conjunction with PKI and security-related projects
The most closely-related project is Dogtag PKI,
[1]http: //pki.fedoraproject.org/wiki/.
specifically about NSS, the NSS project wiki is located at [2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
pki-devel@redhat.com and pki-users@redhat.com
#dogtag-pki Authors
and maintained by developers with Netscape and
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
http ://pki.fedoraproject.org/wiki/ |
||
341 |
mozil la_projects_nss_tools_modutil |
|
module information within the security module
arguments Description
Database Tool, modutil, is a command-line utility for
information both within secmod.db files and
modutil can add and delete PKCS #11 modules,
security databases, set defaults, list module
slots, enable or disable FIPS 140-2
default providers for cryptographic operations.
certificate, key, and module security database
security module database management are part of
also involves managing key databases and
requires one (and only one) option to specify the
Each option may take arguments, anywhere from
#11 module to the database. Use this option
-ciphers, and -mechanisms arguments.
on the named token. If the token has not been
option initializes the password. Use this option
and -newpwfile arguments. A password is
personal identification number (PIN).
module is in the given FIPS mode. true means to
module is in FIPS mode, while false means to
certificate, key, and module databases. Use the -dbdir
to specify a directory. If any of these
exist in a specified directory, modutil returns
security mechanisms for which the named module will be
The security mechanisms are specified with the
module. The default NSS PKCS #11 module cannot be
on the named module. Use the -slot argument to
the named module. Use the -slot argument to
disable (false) FIPS 140-2 compliance for the
interactive prompts so it can be run from a
option only after manually testing each planned
for warnings and to ensure that bypassing the
no security lapses or loss of database
module to the database using the named JAR
command with the -installdir and -tempdir
file uses the NSS PKCS #11 JAR format to
files to be installed, the module’s name, the
and the cipher flags, as well as any files to be
target machine, including the PKCS #11 module
other files such as documentation. This is
installation file section in the man page,
special script needed to perform an installation
information about the contents of the secmod.db
modulename displays detailed information about
string to the secmod.db database.
specs for a specified module or for all
security mechanisms for which the named module will
provider. The security mechanisms are specified
module spec to load into the security database.
ciphers in a module that is being added to the
cipher-enable-list is a colon-delimited list of
Enclose this list in quotation marks if it contains
database directory in which to access or create
two types of databases: the legacy security
(cert8.db, key3.db, and secmod.db) and new SQLite
(cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
the tool assumes that the given databases are in
used on the database files, such as my_ for
option is provided as a special case. Changing
certificate and key databases is not recommended.
installation directory relative to which files
by the -jar option. This directory should be one
appropriate to store dynamic library files, such
library file containing the implementation of
interface module that is being added to the database.
security mechanisms for which a particular module will
default provider. The mechanism-list is a
list of mechanism names. Enclose this list in
a default provider for the listed mechanisms
mechanisms are enabled. If more than one module claims
mechanism’s default provider, that mechanism’s
several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
generation), and FRIENDLY (meaning certificates are
containing a token’s new or replacement
password can be entered automatically with the
certificate or key databases. This has several
-create command, only a module security file is
certificate and key databases are not created.
command, signatures on the JAR file are not
-changepw command, the password on the NSS internal
be set or changed, since this password is
containing a token’s existing password so that
entered automatically when the -changepw option
the security module database (like secmod.db) to
particular slot to be enabled or disabled with the
configuration string for the module being added to the
location where temporary files are created during
the -jar option. If no temporary directory is
current directory is used. Usage and Examples
be performed, there must be a set of security
modutil can be used to create these files. The only
database that where the databases will be
means submitting a supporting library file,
setting default provider status for various
can be done by supplying all of the information
by running a JAR file and install script. For
-libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]
sql:/home/my/sharednssdb -add “Example PKCS #11 Module” -libfile “/tmp/crypto.so” -mechanisms RSA:DSA:RC2:RANDOM
be loaded using a JAR file, which contains all
and an installation script that describes how to
install script is described in more detail in
defines the setup information for each
can be installed on. For example:
} DefaultMechanismFlags{0x0000}
the required libraries must be bundled in a
specified with the -jar argument.
sql:/home/mt “jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb
L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
Signing, OU=”w ww.verisign.com/repository/CPS
6”, OU=www.verisign.com/CPS Incorp.by Ref
VeriSign, OU=VeriSign Object Signing CA - Class 3
Inc.”, O=VeriSign Trust Network **ISSUER
OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
Signing CA - Class 3 Organization,
PKCS #11 Module” into module database
stored in the security database about its
parameters. These can be added or edited using the
current settings or to see the format of the
database, use the -rawlist option.
can be deleted from the secmod.db database:
contains information about the PKCS #11 modules
application or server to use. The list of all
specific modules, and database configuration
modules in the database, use the -list command.
the module name, their status, and other
databases for certificates and keys. For example:
Private Key and Certificate Services
name with the -list returns details information
like supported cipher mechanisms, version
and other information about the module and the
PKCS #11 Module” -dbdir sql:/home/my/sharednssdb
RSA:RC2:RC4:D ES:DH:SHA1:MD5:MD2:SSL:TLS:AES
RSA:RC2:RC4:D ES:DH:SHA1:MD5:MD2:SSL:TLS:AES
returns information about the database
modules. (This information can be edited by loading
Module” parameters=”configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly ” NSS=”trustOrder=75 cipherOrder=100 slotParams={0x00000001=[ slotFlags=RSA,RC4,RC2,DES,DH,S HA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical”
may provide support for the same security
to set a specific security module as the
specific security mechanism (or, conversely, to
default provider for mechanisms, use the -default
colon-separated list of mechanisms. The available
module; NSS supplies almost all common
Internal PKCS #11 Module” -dbdir -mechanisms RSA:DSA:RC2
Internal PKCS #11 Module” -dbdir -mechanisms MD2:MD5
on modules, can be selectively enabled or
Both commands have the same format:
PKCS #11 Module” -slot “NSS Internal Cryptographic Servi ces ” -dbdir .
Cryptographic Servi ces ” enabled.
appropriate amount of trailing whitespace is after the
have a significant amount of whitespace that
FIPS 140-2 compliance enabled or disabled using
FIPS mode, run the -chkfips command with either a
doesn’t matter which). The tool returns the current
[-pwfile old-password-file] [-newpwfile new-password-file]
sql:/home/my/sharednssdb -changepw “NSS Certificate DB”
Certificate DB” password changed successfully. JAR Installation File Format
server, by modutil, or by any program that
JavaScript, a special information file must be included
There are several things to keep in mind with
the JAR archive’s manifest file.
this is Pkcs11_install_script. To declare
manifest file, put it in a file that is passed
installer script could be in the file
metainfo file for signtool includes a line such as
platform and version number, the module name
information like supported ciphers and
platforms can be defined in a single install file.
IRIX:6.2:mips SUNOS:5.5.1:sparc }
win32/fort32.dll } DefaultMechanismFlags{0x0001}
unix/fort.so } DefaultMechanismFlags{0x0001}
Re lativePath{%root%/lib/fort.so} AbsolutePath{/u sr/local/netscape/lib/fort.so}
Relat ivePath{%root%/docs/inst.html} AbsolutePath{/usr/ local/netscape/docs/inst.html}
allowing lists, key-value pairs, strings, and
be escaped with a backslash. A complex string
or carriage returns.Outside of complex strings,
example, spaces, tabs, and carriage returns) is
keys to define the platform and module
list of platforms that are forward compatible.
cannot be found in the list of supported
ForwardCompatible list is checked for any platforms
architecture in an earlier version. If one is
a list of platforms. Each entry in the list is
the key is the name of the platform and the value
attributes of the platform. The platform string is
name:OS release:architecture. The installer obtains
release is an empty string on non-Unix
defined independently for each platform in the
Files attributes. These attributes must be
EquivalentPlatform attribute is specified.
meaning only within the value list of an entry in
the common name for the module. This name is
module by servers and by the modutil tool.
the PKCS #11 module file for this platform.
relative path of the file within the JAR archive.
files that need to be installed for this
file list is a key-value pair. The key is the
archive, and the value list contains
least RelativePath or AbsolutePath must be
specifies mechanisms for which this module is the
equivalent to the -mechanism option with the
key-value pair is a bitstring specified in hexadecimal
constructed as a bitwise OR. If the
is omitted, the value defaults to 0x0.
ciphers that this module provides that NSS
the module enables those ciphers for NSS). This
-cipher argument with the -add command. This key is a
hexadecimal (0x) format. It is constructed as a
CipherEnableFlags entry is omitted, the value defaults
specifies that the attributes of the named platform
current platform. This makes it easier when
within the value list of an entry in a Files
key the identifies where the file is. Either
AbsolutePath must be specified. If both are specified, the
first, and the absolute path is used only if no
provided by the installer program.
destination directory of the file, relative to
install time. Two variables can be used in the
%temp%. %root% is replaced at run time with the
files should be installed; for example, it may
directory. The %temp% directory is created at the
installation and destroyed at the end. The purpose of
executable files (such as setup programs) or files that
Files destined for the temporary directory are
before any executable file is run; they are not
executable files have finished.
destination directory of the file as an
the file is to be executed during the course of
Typically, this string is used for a setup program
vendor, such as a self-extracting setup executable.
specified as executable, in which case the files
which they are specified in the script file.
permissions on any referenced files in a string of
the standard Unix format. This string is a
understand these permissions. They are applied only
for the current platform. If this attribute is
is assumed. NSS Database Types
BerkeleyDB databases to store security information.
limitations, though, which prevent it from
multiple applications simultaneously. NSS has some
applications to use their own, independent
keeping a shared database and working around the
requires more flexibility to provide a truly
new set of databases that are SQLite databases
These new databases provide more accessibility and
listing of all of the PKCS #11 modules contained
in the security databases directory
databases are designed to be shared, these are the
shared database type is preferred; the legacy
(certutil, pk12util, modutil) assume that the given
the more common legacy type. Using the SQLite
specified by using the sql: prefix with the
type as the default type for the tools, set the
to the ~/.bashrc file to make the change
use the shared database by default, but they can
For example, this how-to article covers how to
Thunderbird to use the new shared NSS databases: o https://wiki.m ozilla.org/NSS_Shared_DB_Howto
the changes in the shared NSS databases, see
o https:// wiki.mozilla.org/NSS_Shared_DB See Also
information on the new database design and how to
use it. o https://wiki.m ozilla.org/NSS_Shared_DB_Howto o https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources
and other tools related to NSS (like JSS), check
[2]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
Format
https://www.mozilla. org/projects/security/pki/nss/ |
||
342 |
mozilla_projects_nss_t ools_nss_tools_certutil-tasks |
|
Newsgroup: mozilla.dev.tech .crypto |
||
343 |
mozilla_projects _nss_tools_nss_tools_certutil |
certificates, x509v3 |
The Certificate Database Tool
is a command-line utility that
can create and modify the
Netscape Communicator
|
||
344 |
mozilla_project s_nss_tools_nss_tools_cmsutil |
|
The cmsutil command-line utility uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. |
||
345 |
mozilla_project s_nss_tools_nss_tools_crlutil |
|
Newsgroup: mozilla.dev.tech .crypto |
||
346 |
mozilla_projects_n ss_tools_nss_tools_dbck-tasks |
|
Newsgroup: mozilla.dev.tech .crypto |
||
347 |
mozilla_projects_nss_ tools_nss_tools_modutil-tasks |
|
Newsgroup: mozilla.dev.tech .crypto |
||
348 |
mozilla_project s_nss_tools_nss_tools_modutil |
|
The Security Module Database
Tool is a command-line utility
for managing PKCS #11 module
information within
|
||
349 |
mozilla_projects_nss_t ools_nss_tools_pk12util-tasks |
|
Newsgroup: mozilla.dev.tech .crypto |
||
350 |
mozilla_projects _nss_tools_nss_tools_pk12util |
|
The PKCS #12 utility makes sharing of certificates among Enterprise server 3.x and any server (Netscape products or non-Netscape products) that supports PKCS#12 possible. The tool allows you to import certificates and keys from pkcs #12 files into NSS or export them and also list certificates and keys in such files. |
||
351 |
mozilla_projects_nss_ tools_nss_tools_signver-tasks |
|
No summary! |
||
352 |
mozilla_projects_ns s_tools_nss_tools_sslstrength |
|
A simple command-line client which connects to an SSL-server, and reports back the encryption cipher and strength used. |
||
353 |
mozilla_projec ts_nss_tools_nss_tools_ssltap |
|
The SSL Debugging Tool is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking. |
||
354 |
mozill a_projects_nss_tools_pk12util |
|
import keys and certificate to or from a PKCS #12
tokenname] [-v] [common-options] ] [ -l p12File
[common-options] ] [ -o p12File -n certname [-c
[-m|–key_len keyLen] [-n|–cert_key_len
[common-options] ] [ common-options are: [-d [sql:]directory]
slotPasswordFile|-K slotPassword] [-w
p12filePassword] ] Description
pk12util, enables sharing certificates among any
PKCS#12. The tool can import certificates and keys
security databases, export certificates, and list
certificates from a PKCS#12 file into a security
certificates from the security database to a
nickname of the cert and private key to export.
database directory into which to import to or export
two types of databases: the legacy security
(cert8.db, key3.db, and secmod.db) and new SQLite
(cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
the tool assumes that the given databases are in
used on the certificate and key databases. This
as a special case. Changing the names of the
the token to import into or export from.
file containing the slot’s password.
file containing the pkcs #12 file password.
cert (overall package) encryption algorithm.
length of the symmetric key to be used to
length of the symmetric key to be used to
certificates and other meta-data.
data in raw (binary) form. This must be saved as
default is to return information in a pretty-print
displays the information about the
public keys in the p12 file. Return Codes
error Examples
pk12util for importing a certificate or key is the
some way to specify the security database
for a directory or -h for a token).
tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
/tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
to export certificates and keys requires both
to extract from the database (-n) and the
file to write to. There are optional parameters
the file to protect the certificate material.
certname [-c keyCipher] [-C certCipher] [-m|–key_len keyLen] [-n|–cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
Server-Cert -d sql:/home/my/sharednssdb
file are not human-readable. The certificates
printed (listed) in a human-readable
shows information for every certificate and any
tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
Freemail Member’s Thawte Consulting (Pty) Ltd. ID
PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
45:2e:6a:a0:03:4d :7b:a1:63:3c:15:ea:67:37:62:1f
PKCS #1 SHA-1 With RSA Encryption
“E=personal -freemail@thawte.com,CN=Thawte Personal Freemail C A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
prints the certificates and then exports them into
This allows the certificates to be fed to
supports .p12 files. Each certificate is written
file, beginning with file0001.der and continuing
incrementing the number for every certificate:
Freemail Member’s Thawte Consulting (Pty) Ltd. ID
PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
45:2e:6a:a0:03:4d :7b:a1:63:3c:15:ea:67:37:62:1f
Thawte Personal Freemail Issuing CA - Thawte Consulting
Thawte Freemail Member’s Thawte Consulting (Pty) Ltd. ID Password Encryption
only the protection of the private keys but also
meta-data associated with the keys. Password-based
protect private keys on export to a PKCS#12 file
package. If no algorithm is specified, the
PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for
PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the
package encryption when not in FIPS mode. When in
protected with strong encryption by default.
(the default for key encryption)
o CAMELLIA-128-CBC o CAMELLIA-192-CBC
with SHA1 and 40 Bit RC4 (the default for
with SHA1 and 3KEY Triple DES-cbc
with SHA1 and 2KEY Triple DES-cbc
Based Encryption with MD2 and DES CBC
Password Based Encryption with MD5 and DES CBC
Password Based Encryption with SHA1 and DES CBC
provider may be the soft token module or an
If the cryptographic module does not support the
the next best fit will be selected (usually the
replacement for the desired algorithm can be
error no security module can perform the
BerkeleyDB databases to store security information.
limitations, though, which prevent it from
multiple applications simultaneously. NSS has some
applications to use their own, independent
keeping a shared database and working around the
requires more flexibility to provide a truly
new set of databases that are SQLite databases
These new databases provide more accessibility and
listing of all of the PKCS #11 modules contained
in the security databases directory
databases are designed to be shared, these are the
shared database type is preferred; the legacy
(certutil, pk12util, modutil) assume that the given
the more common legacy type. Using the SQLite
specified by using the sql: prefix with the
/tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
type as the default type for the tools, set the
to the ~/.bashrc file to make the change
use the shared database by default, but they can
For example, this how-to article covers how to
Thunderbird to use the new shared NSS databases: o https://wiki.m ozilla.org/NSS_Shared_DB_Howto
the changes in the shared NSS databases, see
o https:// wiki.mozilla.org/NSS_Shared_DB See Also
information on the new database design and how to
use it. o https://wiki.m ozilla.org/NSS_Shared_DB_Howto o https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources
and other tools related to NSS (like JSS), check
[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
|
||
355 |
mozill a_projects_nss_tools_signtool |
|
objects and files. Synopsis
nickname <-G_nickname>`__ -s size -b basename [[-c Compression
[[-i installer script] ] [[-m metafile] ] [[-x
[[-t|–token tokenname] ] [[-e extension] ] [[-o]
[[–outfile] ] [[–verbose value] ] [[–norecurse] ]
directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ]
creates digital signatures and uses a Java
associate the signatures with files in a directory.
distribution over any network involves potential
address some of these problems, you can
signatures with the files in a JAR archive. Digital
SSL-enabled clients to perform two important operations:
the individual, company, or other entity whose
have been tampered with since being signed
certificate, you can use Netscape Signing Tool to
package them as a JAR file. An object-signing
kind of certificate that allows you to associate
potentially be signed with multiple digital
commercial software developer might sign the
software product to prove that the files are
company. A network administrator manager might
additional digital signature based on a
certificate to indicate that the product is approved for
digital signature is comparable to the significance
Once you have signed a file, it is difficult
didn’t sign it. In some situations, a digital
as legally binding as a handwritten signature.
great care to ensure that you can stand behind
software developer, you should test your code to
before signing it. Similarly, if you are a
should make sure, before signing any code, that
source and will run correctly with the software
to which you are distributing it.
Signing Tool to sign files, you must have an
which is a special certificate whose
used to create digital signatures. For testing
create an object-signing certificate with Netscape
testing is finished and you are ready to
you should obtain an object-signing certificate
certificate authority (CA) that authenticates your
fee. You typically get a certificate from an
to sign software that will be distributed over
running on your corporate intranet or extranet.
Management System provides a complete management
deploying, and managing certificates, including CAs
certificate for the CA that issues your signing
sign files. If the certificate authority’s
installed in your copy of Communicator, you
clicking the appropriate link on the certificate
example on the page from which you initiated
certificate. This is the case for some test
certificates issued by Netscape Certificate
download the CA certificate in addition to
certificate. CA certificates for several
preinstalled in the Communicator certificate
object-signing certificate for your own use, it is
your copy of the Communicator client software.
public-key cryptography standard known as PKCS
portability. You can, for example, move an
and its associated private key from one
credit-card-sized device called a smart card. Options
filename for the .rsa and .sf files in the
to conform with the JAR format. For example, -b
the files to be named signatures.rsa and
compression level for the -J or -Z option. The
a number from 0 to 9, where 0 means no
means maximum compression. The higher the level
smaller the output but the longer the
the -c# option is not used with either the -J
the default compression value used by both the
certificate database directory; that is, the
you placed your key3.db and cert7.db files. To
directory, use “-d.” (including the period).
signtool assumes ~/.netscape unless told
version of signtool always requires the use of
specify where the database files are located.
sign only files with the given extension; for
-e”.class” to sign only Java class files. Note that
Signing Tool version 1.1 and later this option can
times on one command line, making it possible to
file types or classes to include.
file containing Netscape Signing Tool options and
keyword=value format. All options and arguments can
through this file. For more information about the
this file, see “Tips and Techniques”.
of an installer script for SmartUpdate. This
files from the JAR archive in the local system
has validated the digital signature. For more
description of -m that follows. The -i option
straightforward way to provide this information if you
specify any metadata other than an installer script.
JavaScript directory. This option causes the
to be signed and tags its entries as inline
special type of entry does not have to appear in
itself. Instead, it is located in the HTML page
inline scripts. When you use signtool -v, these
displayed with the string NOT PRESENT.
nickname (key) of the certificate you want to sign
files in the specified directory. The directory
specified as the last command-line argument.
possible to write signtool -k MyCert -d . signdir You
the nickname contains a single quotation mark.
escape the quotation mark using the escape
your platform. It’s also possible to use the -k
signing any files or specifying a directory. For
use it with the -l option to get detailed
particular signing certificate.
private-public key pair and corresponding
certificate with the given nickname. The newly
certificate are installed into the key and
databases in the directory specified by the -d option.
of Netscape Signing Tool, you must use the -d
option. With the Unix version of Netscape
omitting the -d option causes the tool to install
certificate in the Communicator key and certificate
are installing the keys and certificate in the
databases, you must exit Communicator before using
otherwise, you risk corrupting the databases. In all
certificate is also output to a file named x509.cacert,
MIME-type application/x-x509-ca-cert. Unlike
normally used to sign finished code to be distributed
test certificate created with -G is not signed
certificate authority. Instead, it is self-signed.
single test signing certificate functions as both
certificate and a CA. When you are using it to
behaves like an object-signing certificate. When
browser software such as Communicator, it
object-signing CA and cannot be used to sign
option is available in Netscape Signing Tool 1.0
only. By default, it produces only RSA
1024-byte keys in the internal token. However,
option specify the required key size and the -t
the token. For more information about the use of
“Generating Test Object-Signing Certificates””Generating Test Object-Signing Certificates” on page
certificates, including issuing CAs. If any of your
expired or invalid, the list will so specify.
used with the -k option to list detailed
particular signing certificate. The -l option
Netscape Signing Tool 1.0 and later versions only.
of HTML files containing JavaScript and creates
files as are specified in the HTML tags. Even if
more than one archive file, you need to supply
password only once. The -J option is available
Signing Tool 1.0 and later versions. The -J
used at the same time as the -Z option. If the
used with the -J option, the default compression
that versions 1.1 and later of Netscape Signing
recognizes the CODEBASE attribute, allows paths to
the CLASS and SRC attributes instead of filenames
LINK tags and parses HTML correctly, and offers
certificates in your database. An asterisk appears to
nickname for any certificate that can be used to
temporary .arc (archive) directories that the -J
These directories are automatically erased by
the temporary directories can be an aid to
of a metadata control file. Metadata is signed
attached either to the JAR archive itself or to files
This metadata can be any ASCII string, but is
specifying an installer script. The metadata file
per line, each with three fields: field #1:
or + if you want to specify global metadata
about the JAR archive itself or all entries in
#2: the name of the data you are specifying;
Install-Script field #3: data corresponding to the
For example, the -i option uses the equivalent of
Install-Script: script.js This example associates a
file: movie.qt MIME-Type: video/quicktime For
the way installer script information appears in
for a JAR archive, see The JAR Format on
modules available to signtool, including smart
option is available in Netscape Signing Tool 1.0 and
only. For information on using Netscape Signing
cards, see “Using Netscape Signing Tool with Smart
information on using the -M option to verify
validated mode, see “Netscape Signing Tool and
into subdirectories when signing a directory’s
archive for size. Use this only if you are signing
containing hundreds of files. This option
files (required by the JAR format) considerably
contain slightly less information.
receive redirected output from Netscape
password for the private-key database. Note that the
the command line is displayed as plain text.
of the key for generated certificate. Use the
out what tokens are available. The -s option can
available token should generate the key and
certificate. Use the -M option to find out what tokens
-t option can be used with the -G option only.
contents of an archive and verifies the cryptographic
digital signatures it contains and the files with
associated. This includes checking that the
issuer of the object-signing certificate is
certificate database, that the CA’s digital
object-signing certificate is valid, that the
certificates have not expired, and so on.
of information Netscape Signing Tool generates
value of 0 (zero) is the default and gives full
value of -1 suppresses most messages, but not error
of signers of any files in the archive.
specified directory from signing. Note that with
Tool version 1.1 and later this option can appear
one command line, making it possible to specify
to store the signing time in the digital
option is useful if you want the expiration date
checked against the current date and time rather
with the specified name. You must specify this
signtool to create the JAR file; it does not do
If you don’t specify -Z, you must use an
to create the JAR file. The -Z option cannot be
time as the -J option. If the -c# option is not
option, the default compression value is 6. The Command File Format
Signing Tool command file have this general format:
before the = sign on a single line is a keyword,
sign to the end of line is a value. The value
the first = sign on a line is interpreted. Blank
white space on a line with keywords and values is
keyword (if it comes before the equal sign) or
comes after the first equal sign). Keywords are
are generally case sensitive. Since the = sign
value, it should not be quoted.
certificate, as with -k and -l -k options.
Value is ignored, but = sign must be present.
Value is ignored, but = sign must be present.
Value is ignored, but = sign must be present.
Value is ignored, but = sign must be present.
value is ignored, but = sign must be present.
which output and error messages will be
option has no command-line equivalent. Extended Examples
list the nicknames for all available certificates
Individual Subscriber - VeriSign, Inc.
to sign objects have *’s to their left.
are displayed: Verisign Object Signing Cert and
get a list of signing certificates only,
signing cert (Signtool 1.0 Testing
object-signing certificate and sign the
signdir/META-INF/manifest.mf file..
signdir/META-INF/manifest.mf to testjar.jar
signdir/META-INF/signtool.sf to testjar.jar
signdir/META-INF/signtool.rsa to testjar.jar
Tool with a ZIP utility, you must have the utility
variable. You should use the zip.exe utility
which cannot handle long filenames. You can use a
-Z option to package a signed archive into a
META-INF/manifest.mf (deflated 15%)
META-INF/signtool.sf (deflated 28%)
META-INF/signtool.rsa (stored 0%)
generates a new public-private key pair and
nickname of the new certificate as an argument.
and certificate are installed into the key and
the directory specified by the -d option. With
Signing Tool, you must use the -d option with
Unix version of Netscape Signing Tool, omitting
tool to install the keys and certificate in the
certificate databases. In all cases, the certificate
named x509.cacert, which has the MIME-type
standard information about the entity they identify,
organization name. Netscape Signing Tool
information when you run the command with the -G
requested fields are optional for test
enter a common name, the tool provides a
following example, the user input is in boldface:
information. All fields are optional. Acceptable
letters, spaces, and apostrophes.
“Communicator Certificate DB”: [Password will not echo]
is read from standard input. Therefore, the
from a file using the redirection operator (<) in
create a file for this purpose, enter each of
order, on a separate line. Make sure there is a
end of the last line. Then run signtool with
screen, but the responses will be automatically
password will still be read from the console
option to give the password on the command line.
to list the PKCS #11 modules, including smart
PKCS #11 Module (this module is internally loaded) slots: 2 slots attached
Internal Cryptographic Services Version 4.0
User Private Key and Certificate Services
normally takes an argument of the -k option to
certificate. To sign with a smart card, you supply only
certificate names when you run Communicator, click
Navigator, then click Yours under Certificates in
qualified names are of the format smart
example “MyCard:My Signing Cert”. You use this name
that you are using the FIPS-140-1 module.
Internal Cryptographic Services Version 4.0
Private Key and Certificate Services
that Netscape Signing Tool is using a FIPS-140-1
“Communicator Certificate DB”: [password will not echo]
FIPS-140-1 Cryptographic Services
information on the new database design and how to
use it. o https://wiki.m ozilla.org/NSS_Shared_DB_Howto o https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources
and other tools related to NSS (like JSS), check
[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
|
||
356 |
mozil la_projects_nss_tools_signver |
|
PKCS#7 signature for a file. Synopsis
directory [-a] [-i input_file] [-o output_file] [-s
Tool, signver, is a simple command-line utility
base-64-encoded PKCS#7 signed object and verifies the
standard cryptographic techniques. The Signature
display the contents of the signed object. Options
information in the PKCS#7 signature.
database directory which contains the certificates and
two types of databases: the legacy security
(cert8.db, key3.db, and secmod.db) and new SQLite
(cert9.db, key4.db, and pkcs11.txt). If the prefix sql:
the tool assumes that the given databases are in
signature file is in ASCII format.
file for the object with signed data.
file to which to write the results.
file for the digital signature.
output. Extended Examples
the signature in a given signature file is
given object (from the input file).
-i signed_file -d sql:/home/my/sharednssdb
the information contained in a signature file.
the signature file information to the given
-o output_file NSS Database Types
BerkeleyDB databases to store security information.
limitations, though, which prevent it from
multiple applications simultaneously. NSS has some
applications to use their own, independent
keeping a shared database and working around the
requires more flexibility to provide a truly
new set of databases that are SQLite databases
These new databases provide more accessibility and
listing of all of the PKCS #11 modules contained
in the security databases directory
databases are designed to be shared, these are the
shared database type is preferred; the legacy
(certutil, pk12util, modutil) assume that the given
the more common legacy type. Using the SQLite
specified by using the sql: prefix with the
type as the default type for the tools, set the
to the ~/.bashrc file to make the change
use the shared database by default, but they can
For example, this how-to article covers how to
Thunderbird to use the new shared NSS databases: o https://wiki.m ozilla.org/NSS_Shared_DB_Howto
the changes in the shared NSS databases, see
o https:// wiki.mozilla.org/NSS_Shared_DB See Also
information on the new database design and how to
NSS database https://wiki.m ozilla.org/NSS_Shared_DB_Howto
technical information about the shared NSS database https:// wiki.mozilla.org/NSS_Shared_DB Additional Resources
and other tools related to NSS (like JSS), check
[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
|
||
357 |
mozi lla_projects_nss_tools_ssltap |
|
connections and display the data going by Synopsis
port] [hostname:port] Description
ssltap is an SSL-aware command-line proxy. It
displays the data going by. If a connection is
includes interpreted SSL records and handshaking Options
printing. Instead of outputting raw data, the
each record as a numbered line of hex values,
same data as ASCII characters. The two parts are
vertical bar. Nonprinting characters are replaced
printing. Output is printed in colored HTML. Data
client to the server is in blue; the server’s reply
used with looping mode, the different connections
horizontal lines. You can use this option to
and decoding. The tool does not automatically
sessions. If you are intercepting an SSL connection,
that the tool can detect and decode SSL
a certificate chain, it saves the DER-encoded
files in the current directory. The files are
where x is the sequence number of the certificate.
used with -h, two separate parts are printed
the plain hex/ASCII output, and the parsed SSL
printing of undecoded data inside parsed SSL
with the -s option. This option uses the same
that is, continue to accept connections rather
the first connection is complete.
rendezvous port (1924) to another port.
over SSL) Usage and Examples
Debugging Tool to intercept any connection
can run the tool at its most basic by issuing
options other than hostname:port, the
way is not very useful. For example, assume
called intercept. The simplest way to use the
execute the following command from a command shell:
incoming connection on the default port 1924. In
the URL http://intercept:1924. The browser
page from the server at www.netscape.com, but the
passed on to the browser by the debugging tool on
the browser, the data is printed to the command
the command. Data sent from the client to the
following symbols: –> [ data ] Data sent from
surrounded by the following symbols: “left
data stream is sent to standard output and is
This can result in peculiar effects, such as
crashes of the command shell window. To output a
interpretation of the data, use the -h option, or, if you
connection, the -s option. You will notice that the
incomplete in the browser. This is because, by
down after the first connection is complete, so
load images. To make the tool continue to
on looping mode with the -l option. The
output from commonly used combinations of
interzone.mcom.com:443 > sx.txt
0x00} cipher-specs-length = 39 (0x27)
SS L3/RSA-FIPS/3DES192EDE-CBC/SHA
0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
e5
46
c0 d9 58 4f 47 d3 2d 01 45 |
c7 88 64 3c 50 41 48 4f 7f |
29 11 94 40 37 57 10 a7 32 | …¨*1.)..@7W.§2
65 b1 e4 13 0f 52 a3 c8 f6 | VoRbþ=³e±…R£È.
c5
ca
00
44
40
01
01
38
01
01
38
1f
a0
df
12
parsing. Because the -x option is not used in
values are output as raw data. The output is
0x00} cipher-specs-length = 36 (0x24)
SS L3/RSA-FIPS/3DES192EDE-CBC/SHA
0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
option turns hex/ASCII format. There is no SSL
output is routed to a text file.
00 00 00 10 01 00 80 02 00 | .@….’………
06 00 40 07 00 c0 00 00 04 | ………@……
ff e1 00 00 09 00 00 03 00 | ……..á…….
49 1f 9f ca dd d5 ba b9 52 | ..þ[V.I.xd9 …º¹R
2d
00 46 03 00 7f e5 0d 1b 1d | ……..F…….
3c 1d 9c 96 b3 88 d2 69 3b | h.:y`..<..³.Òi;
4b 46 e8 c2 20 14 11 89 05 | x.K.¦R.KFè. …
48 91 90 08 96 c1 b6 76 77 | MR.ý..QH…..¶vw
a2 64 1f 2e 9b 00 03 00 0b | *ô..¡.a¢d……
02 bf 30 82 02 bb 30 82 02 | ..Å……0…0..
02 01 36 30 0d 06 09 2a 86 | $ …….60…*.
05 00 30 77 31 0b 30 09 06 | H.÷……0w1.0..
53 31 2c 30 2a 06 03 55 04 | .U….US1,0*..U.
63 61 70 65 20 43 6f 6d 6d | ..#Netscape Comm
6f 6e 73 20 43 6f 72 70 6f | unications Corpo
11 30 0f 06 03 55 04 0b 13 | ration1.0…U…
72 65 31 27 30 25 06 03 55 | .Hardcore1’0%..U
64 63 6f 72 65 20 43 65 72 | ….Hardcore Cer
65 20 53 65 72 76 65 72 20 | tificate Server
38 30 35 31 36 30 31 30 33 | II0…9805160103
option turns on SSL parsing, and the -h option
Both formats are shown for each record. The
interzone.mcom.com:443 > hs.txt
00 00 00 10 01 00 80 02 00 | .=….$………
06 00 40 07 00 c0 00 00 04 | ………@……
ff e1 00 00 09 00 00 03 03 | ……..á…….
2c 86 78 96 5d b5 cf e9 |U..yÇxb0 ,.x.]µÏé
0x00} cipher-specs-length = 36 (0x24)
SS L3/RSA-FIPS/3DES192EDE-CBC/SHA
0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
previous session, it makes use of cached information
If you wish to capture a full SSL handshake,
machine other than the SSL server to which you
browser will complain that the host name you
different from the certificate. If you are
callback, you can still connect through a
using the default BadCert callback, the one you
possibility. See Also
also documented at [1]http://www.mozil la.org/projects/security/pki/n ss/. Additional Resources
conjunction with PKI and security-related projects
The most closely-related project is Dogtag PKI,
[2]http: //pki.fedoraproject.org/wiki/.
specifically about NSS, the NSS project wiki is located at [3]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
pki-devel@redhat.com and pki-users@redhat.com
#dogtag-pki Authors
and maintained by developers with Netscape and
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
http://www.mozilla.org/p rojects/secu…/pki/nss/tools http ://pki.fedoraproject.org/wiki/ |
||
358 |
mozill a_projects_nss_tools_vfychain |
|
[options] [revocation options] certfile [[options]
vfychain, verifies certificate chains. modutil can
modules, change passwords on security databases,
contents, enable or disable slots, enable or
compliance, and assign default providers for
This tool can also create certificate, key, and
security module database management are part of
also involves managing key databases and
cert validation(Format OID.1.2.3)
validate certificate by calling:
CERT_VerifyCertificate if specified once,
CERT_PKIXVerifyCert if specified twice and more.
explicitly trusted (overrides db trust)
server, 2=SSL StepUp, 3=SSL CA, 4=Email
recipient, 6=Object signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
Prints root cert subject(double the argument for
for PKIX API (invoked with -pp options) is a
following flags: [-g type [-h flags] [-m type
checking test type. Possible values are “leaf” or
checking test type. Possible values are “leaf” or
flags for the test type it follows. Possible
“testLocalInfoFirst” and “requireFreshInfo”.
for the test type it follows. Possible types are
flags for the method it follows. Possible types
“forbidFetching”, “ignoreDefaultSrc”,
“failIfNoInfo”. Additional Resources
and other tools related to NSS (like JSS), check
[1]http://www.mozil la.org/projects/security/pki/n ss/. The NSS site relates
https://lists.mozill a.org/listinfo/dev-tech-crypto
#dogtag-pki Authors
and maintained by developers with Netscape, Red
<emaldona@redhat.com>, Deon Lackey
Licensed under the GNU Public License version 2. References
|
||
359 |
mozil la_projects_nss_tools_vfyserv |
|
Coming soon |
||
360 |
mozilla _projects_nss_troubleshooting |
NSS |
On this page, let’s collect information on how to troubleshoot NSS at runtime. Debugging tips, how to enable tracing of the various modules, etc. |
||
361 |
mozilla_p rojects_nss_utility_functions |
NSS |
The public functions listed here perform initialization tasks and other services. |
||