security/nss/cmd/symkeyutil/symkey.man@b8a032363ba2 (annotated)
security/nss/cmd/symkeyutil/symkey.man
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | |
| michael@0 | 2 | NAME |
| michael@0 | 3 | symkeyutil - manage fixed keys in the database |
| michael@0 | 4 | |
| michael@0 | 5 | SYNOPSIS |
| michael@0 | 6 | symkeyutil -H |
| michael@0 | 7 | symkeyutil -L [std_opts] [-r] |
| michael@0 | 8 | symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts] |
| michael@0 | 9 | symkeyutil -D <[-n name | -i id | -j id_file> [std_opts] |
| michael@0 | 10 | symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts] |
| michael@0 | 11 | symkeyutil -E <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts] |
| michael@0 | 12 | symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts] |
| michael@0 | 13 | symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts] |
| michael@0 | 14 | symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts] |
| michael@0 | 15 | std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token] |
| michael@0 | 16 | wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file> |
| michael@0 | 17 | |
| michael@0 | 18 | DESCRIPTION |
| michael@0 | 19 | |
| michael@0 | 20 | NSS can store fixed keys as well as asymetric keys in the database. The |
| michael@0 | 21 | symkeyutil command can be used to manage these keys. |
| michael@0 | 22 | |
| michael@0 | 23 | As with certutil, symkeyutil takes two types of arguments, commands and |
| michael@0 | 24 | options. Most commands fall into one of two catagories: commands which |
| michael@0 | 25 | create keys and commands which extract or destroy keys. |
| michael@0 | 26 | |
| michael@0 | 27 | Exceptions to these catagories are listed first: |
| michael@0 | 28 | |
| michael@0 | 29 | -H takes no additional options. It lists a more detailed help message. |
| michael@0 | 30 | -L takes the standard set of options. It lists all the keys in the |
| michael@0 | 31 | specified token (NSS Internal DB Token is the default). Only the |
| michael@0 | 32 | -L option accepts the all option for tokens to list all the fixed |
| michael@0 | 33 | keys. |
| michael@0 | 34 | |
| michael@0 | 35 | Key Creation commands: |
| michael@0 | 36 | For these commands, the key type (-t) option is always required. |
| michael@0 | 37 | In addition, the -s option may be required for certain key types. |
| michael@0 | 38 | The standard set of options may be specified. |
| michael@0 | 39 | |
| michael@0 | 40 | -K Create a new key using the token key gen function. |
| michael@0 | 41 | -I Import a new key from the raw data specified in the data file, |
| michael@0 | 42 | specified with the -k options (required). This command may fail on |
| michael@0 | 43 | some tokens that don't support direct import of key material. |
| michael@0 | 44 | -U Unwrap a new key from an encrypted data file specified with the -k |
| michael@0 | 45 | option. The -w, -x, or -y option specifies the unwrapping key. |
| michael@0 | 46 | The unwrapping algorithm is selected based on the type of the |
| michael@0 | 47 | unwrapping key. |
| michael@0 | 48 | |
| michael@0 | 49 | Key extraction/destruction options: |
| michael@0 | 50 | For these keys, one and only of of the -n, -i, or -j options must be |
| michael@0 | 51 | specified. If more than one key matches the -n option, the 'first' key |
| michael@0 | 52 | matching will be used. The standard set of options may be specified. |
| michael@0 | 53 | |
| michael@0 | 54 | -D Delete the key specified by the -n, -i, or -j options. |
| michael@0 | 55 | -E Export the key specified by the -n, -i, or -j options and store the |
| michael@0 | 56 | contents to a file specified by the -k file (required). |
| michael@0 | 57 | This command will seldom work on any token since most keys are |
| michael@0 | 58 | protected from export. |
| michael@0 | 59 | -W Wrap the key specified by the -n, -i, or -j options and store the |
| michael@0 | 60 | encrypted contents to a file specified by the -k file (required). |
| michael@0 | 61 | The -w, -x, or -y option specifies the key used to wrap the |
| michael@0 | 62 | target key. |
| michael@0 | 63 | -M Move the key specified by the -n, -i, or -j options to the token |
| michael@0 | 64 | specified by the -g option (required). The new key will have the |
| michael@0 | 65 | same attributes as the source key. |
| michael@0 | 66 | |
| michael@0 | 67 | OPTIONS |
| michael@0 | 68 | |
| michael@0 | 69 | Standard options are those options that may be used by any command, and |
| michael@0 | 70 | whose meaning is the same for all commands. |
| michael@0 | 71 | |
| michael@0 | 72 | -h token Specify the token which the command will operate on. |
| michael@0 | 73 | If -h is not specified the internal token is presumed. In |
| michael@0 | 74 | addition the special value 'all' may be used to specify |
| michael@0 | 75 | that all tokens should be used. This is only valid for |
| michael@0 | 76 | the '-L' command. |
| michael@0 | 77 | -d certdir Specify the location of the NSS databases. The default |
| michael@0 | 78 | value is platform dependent. |
| michael@0 | 79 | -P dbprefix Specify the prefix for the NSS database. The default value |
| michael@0 | 80 | is NULL. |
| michael@0 | 81 | -p password Specify the password for the token. On the command line. |
| michael@0 | 82 | The -p and -f options are mutually exclusive. If |
| michael@0 | 83 | neither option is specified, the password would be |
| michael@0 | 84 | prompted from the user. |
| michael@0 | 85 | -f passwordFile Specify a file that contains the password for the token. |
| michael@0 | 86 | This option is mutually exclusive to the -p option. |
| michael@0 | 87 | |
| michael@0 | 88 | In addition to the standard options are the following command specific |
| michael@0 | 89 | options are. |
| michael@0 | 90 | |
| michael@0 | 91 | -r Opens the NSS databases Read/Write. By default the -L, |
| michael@0 | 92 | -E, and -W commands open the database read only. Other |
| michael@0 | 93 | commands automatically opens the databases Read/Write and |
| michael@0 | 94 | igore this option if it is specified. |
| michael@0 | 95 | |
| michael@0 | 96 | -n name Specifies the nickname for the key. |
| michael@0 | 97 | |
| michael@0 | 98 | For the -K, -I, or -U options, name is the name for |
| michael@0 | 99 | the new key. If -n is not specified, no name is |
| michael@0 | 100 | assumed. There is not check for duplicate names. |
| michael@0 | 101 | |
| michael@0 | 102 | For the -D, -E, -W, or -M, the name specifies the key to |
| michael@0 | 103 | operate on. In this case one andy only one of the -n, -i |
| michael@0 | 104 | or -j options should be specifed. It is possible that |
| michael@0 | 105 | the -n options specifies and ambiguous key. In that case |
| michael@0 | 106 | the 'first' valid key is used. |
| michael@0 | 107 | |
| michael@0 | 108 | For the -M option, the nickname for the new key is copied |
| michael@0 | 109 | from it's original key, even if the original key is |
| michael@0 | 110 | specified using -i or -j. |
| michael@0 | 111 | |
| michael@0 | 112 | -i key id |
| michael@0 | 113 | -j key id file These options are equivalent and mutually exclusive. |
| michael@0 | 114 | They specify the key id for the file. The -i option |
| michael@0 | 115 | specifies the key id on the command line using a hex |
| michael@0 | 116 | string. The -j specifies a file to read the raw key |
| michael@0 | 117 | id from. |
| michael@0 | 118 | |
| michael@0 | 119 | For the -K, -I, or -U options, key id is the key id for |
| michael@0 | 120 | the new key. If -i or -j is not specified, no key id |
| michael@0 | 121 | is assumed. Some tokens may generate their own unique |
| michael@0 | 122 | id for the key in this case (but it is not guarrenteed). |
| michael@0 | 123 | |
| michael@0 | 124 | For the -D, -E, -W, or -M, the key id specifies the key to |
| michael@0 | 125 | operate on. In this case one andy only one of the -n, -i |
| michael@0 | 126 | or -j options should be specifed. |
| michael@0 | 127 | |
| michael@0 | 128 | -t type Specifies the key Type for the new key. This option is |
| michael@0 | 129 | required for the -K, -I, and -U commands. Valid values |
| michael@0 | 130 | are: |
| michael@0 | 131 | generic, rc2, rc4, des, des2, des3, cast, cast3, |
| michael@0 | 132 | cast5, cast128, rc5, idea, skipjack, baton, juniper, |
| michael@0 | 133 | cdmf, aes, camellia |
| michael@0 | 134 | |
| michael@0 | 135 | Not all tokens support all key types. The generic key |
| michael@0 | 136 | type is usually used in MACing and key derivation |
| michael@0 | 137 | algorithms. Neither generic nor rc4 keys may be used |
| michael@0 | 138 | to wrap other keys. Fixed rc4 keys are dangerous since |
| michael@0 | 139 | multiple use of the same stream cipher key to encrypted |
| michael@0 | 140 | different data can compromise all data encrypted with |
| michael@0 | 141 | that key. |
| michael@0 | 142 | |
| michael@0 | 143 | -s size Specifies the key size. For most situations the key size |
| michael@0 | 144 | is already known and need not be specified. For some |
| michael@0 | 145 | algorithms, however, it is necessary to specify the key |
| michael@0 | 146 | size when generation or unwrapping the key. |
| michael@0 | 147 | |
| michael@0 | 148 | -k key file Specifies the name of a file that contains key data to |
| michael@0 | 149 | import or unwrap (-I or -U), or the location to store |
| michael@0 | 150 | key data or encrypted key data (-E or -W). |
| michael@0 | 151 | |
| michael@0 | 152 | -g target token Specifies the target token when moving a key (-M). This |
| michael@0 | 153 | option is required for the -M command. It is invalid for |
| michael@0 | 154 | all other commands. |
| michael@0 | 155 | |
| michael@0 | 156 | |
| michael@0 | 157 | |
| michael@0 | 158 | -w wrap name |
| michael@0 | 159 | -x wrap key id |
| michael@0 | 160 | -y wrap key id file Specifies the wrapping key used int the -U and -W |
| michael@0 | 161 | command. Exactly one of these must be specified for the |
| michael@0 | 162 | -U or -W commands. Same semantics as the -n, -i, and -j |
| michael@0 | 163 | options above. |
| michael@0 | 164 | |
| michael@0 | 165 | BUGS |
| michael@0 | 166 | |
| michael@0 | 167 | There is no way display the key id of a key. |
| michael@0 | 168 | |
| michael@0 | 169 | The -p and -f options only specifies one password. Multiple passwords may |
| michael@0 | 170 | be needed for the -L -h all command and the -M command. |
| michael@0 | 171 | |
| michael@0 | 172 | Perhaps RC4 should not be supported as a key type. Use of these keys as |
| michael@0 | 173 | fixed keys is exceedingly dangerous. |
| michael@0 | 174 | |
| michael@0 | 175 | The handling of multiple keys with the same nickname should be more |
| michael@0 | 176 | deterministic than 'the first one' |
| michael@0 | 177 | |
| michael@0 | 178 | There is no way to specify, or display the operation flags of a key. The |
| michael@0 | 179 | operation flags are not copied with the -M option as they should be. |
| michael@0 | 180 | |
| michael@0 | 181 | There is no way to change the attributes of a key (nickname, id, operation |
| michael@0 | 182 | flags). |
