1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/doc/vfychain.xml Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,232 @@
1.4 +<?xml version="1.0" encoding="UTF-8"?>
1.5 +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
1.6 + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
1.7 +<!ENTITY date SYSTEM "date.xml">
1.8 +<!ENTITY version SYSTEM "version.xml">
1.9 +]>
1.10 +
1.11 +<refentry id="vfychain">
1.12 +
1.13 + <refentryinfo>
1.14 + <date>&date;</date>
1.15 + <title>NSS Security Tools</title>
1.16 + <productname>nss-tools</productname>
1.17 + <productnumber>&version;</productnumber>
1.18 + </refentryinfo>
1.19 +
1.20 + <refmeta>
1.21 + <refentrytitle>VFYCHAIN</refentrytitle>
1.22 + <manvolnum>1</manvolnum>
1.23 + </refmeta>
1.24 +
1.25 + <refnamediv>
1.26 + <refname>vfychain </refname>
1.27 + <refpurpose>vfychain [options] [revocation options] certfile [[options] certfile] ...</refpurpose>
1.28 + </refnamediv>
1.29 +
1.30 + <refsynopsisdiv>
1.31 + <cmdsynopsis>
1.32 + <command>vfychain</command>
1.33 + </cmdsynopsis>
1.34 + </refsynopsisdiv>
1.35 +
1.36 + <refsection>
1.37 + <title>STATUS</title>
1.38 + <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
1.39 + </para>
1.40 + </refsection>
1.41 +
1.42 + <refsection id="description">
1.43 + <title>Description</title>
1.44 + <para>The verification Tool, <command>vfychain</command>, verifies certificate chains. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>
1.45 +
1.46 + <para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
1.47 + </refsection>
1.48 +
1.49 + <refsection id="options">
1.50 + <title>Options</title>
1.51 +
1.52 + <variablelist>
1.53 +
1.54 + <varlistentry>
1.55 + <term><option>-a</option></term>
1.56 + <listitem>
1.57 + <simpara>the following certfile is base64 encoded</simpara>
1.58 + </listitem>
1.59 + </varlistentry>
1.60 +
1.61 + <varlistentry>
1.62 + <term><option>-b </option> <replaceable>YYMMDDHHMMZ</replaceable></term>
1.63 + <listitem>
1.64 + <simpara>Validate date (default: now)</simpara>
1.65 + </listitem>
1.66 + </varlistentry>
1.67 +
1.68 + <varlistentry>
1.69 + <term><option>-d </option> <replaceable>directory</replaceable></term> <listitem>
1.70 + <simpara>database directory</simpara>
1.71 + </listitem>
1.72 + </varlistentry>
1.73 +
1.74 + <varlistentry>
1.75 + <term><option>-f </option> </term>
1.76 + <listitem>
1.77 + <simpara>Enable cert fetching from AIA URL</simpara>
1.78 + </listitem>
1.79 + </varlistentry>
1.80 +
1.81 + <varlistentry>
1.82 + <term><option>-o </option> <replaceable>oid</replaceable></term>
1.83 + <listitem>
1.84 + <simpara>Set policy OID for cert validation(Format OID.1.2.3)</simpara>
1.85 + </listitem>
1.86 + </varlistentry>
1.87 +
1.88 + <varlistentry>
1.89 + <term><option>-p </option></term>
1.90 + <listitem>
1.91 + <simpara>Use PKIX Library to validate certificate by calling:</simpara>
1.92 + <simpara> * CERT_VerifyCertificate if specified once,</simpara>
1.93 + <simpara> * CERT_PKIXVerifyCert if specified twice and more.</simpara>
1.94 + </listitem>
1.95 + </varlistentry>
1.96 +
1.97 + <varlistentry>
1.98 + <term><option>-r </option></term>
1.99 + <listitem>
1.100 + <simpara>Following certfile is raw binary DER (default)</simpara>
1.101 + </listitem>
1.102 + </varlistentry>
1.103 +
1.104 + <varlistentry>
1.105 + <term><option>-t</option></term>
1.106 + <listitem>
1.107 + <simpara>Following cert is explicitly trusted (overrides db trust)</simpara>
1.108 + </listitem>
1.109 + </varlistentry>
1.110 +
1.111 + <varlistentry>
1.112 + <term><option>-u </option> <replaceable>usage</replaceable></term>
1.113 + <listitem>
1.114 + <para>
1.115 + 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
1.116 + 4=Email signer, 5=Email recipient, 6=Object signer,
1.117 + 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
1.118 + </para>
1.119 + </listitem>
1.120 + </varlistentry>
1.121 +
1.122 + <varlistentry>
1.123 + <term><option>-T </option></term>
1.124 + <listitem>
1.125 + <simpara>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
1.126 + </simpara>
1.127 + </listitem>
1.128 + </varlistentry>
1.129 +
1.130 + <varlistentry>
1.131 + <term><option>-v </option></term>
1.132 + <listitem>
1.133 + <simpara>Verbose mode. Prints root cert subject(double the
1.134 + argument for whole root cert info)
1.135 + </simpara>
1.136 + </listitem>
1.137 + </varlistentry>
1.138 +
1.139 + <varlistentry>
1.140 + <term><option>-w </option> <replaceable>password</replaceable></term>
1.141 + <listitem>
1.142 + <simpara>Database password</simpara>
1.143 + </listitem>
1.144 + </varlistentry>
1.145 +
1.146 + <varlistentry>
1.147 + <term><option>-W </option> <replaceable>pwfile</replaceable></term>
1.148 + <listitem>
1.149 + <simpara>Password file</simpara>
1.150 + </listitem>
1.151 + </varlistentry>
1.152 +
1.153 + <varlistentry>
1.154 + <term><option></option></term>
1.155 + <listitem>
1.156 + <simpara>Revocation options for PKIX API (invoked with -pp options) is a
1.157 + collection of the following flags:
1.158 + [-g type [-h flags] [-m type [-s flags]] ...] ...</simpara>
1.159 + <simpara>Where: </simpara>
1.160 + </listitem>
1.161 + </varlistentry>
1.162 +
1.163 + <varlistentry>
1.164 + <term><option>-g </option> <replaceable>test-type</replaceable></term>
1.165 + <listitem>
1.166 + <simpara>Sets status checking test type. Possible values
1.167 + are "leaf" or "chain"
1.168 + </simpara>
1.169 + </listitem>
1.170 + </varlistentry>
1.171 +
1.172 + <varlistentry>
1.173 + <term><option>-g </option> <replaceable>test type</replaceable></term>
1.174 + <listitem>
1.175 + <simpara>Sets status checking test type. Possible values
1.176 + are "leaf" or "chain".
1.177 + </simpara>
1.178 + </listitem>
1.179 + </varlistentry>
1.180 +
1.181 + <varlistentry>
1.182 + <term><option>-h </option> <replaceable>test flags</replaceable></term>
1.183 + <listitem>
1.184 + <simpara>Sets revocation flags for the test type it
1.185 + follows. Possible flags: "testLocalInfoFirst" and
1.186 + "requireFreshInfo".
1.187 + </simpara>
1.188 + </listitem>
1.189 + </varlistentry>
1.190 +
1.191 + <varlistentry>
1.192 + <term><option>-m </option> <replaceable>method type</replaceable></term>
1.193 + <listitem>
1.194 + <simpara>Sets method type for the test type it follows.
1.195 + Possible types are "crl" and "ocsp".
1.196 + </simpara>
1.197 + </listitem>
1.198 + </varlistentry>
1.199 + <varlistentry>
1.200 + <term><option>-s </option> <replaceable>method flags</replaceable></term>
1.201 + <listitem>
1.202 + <simpara>Sets revocation flags for the method it follows.
1.203 + Possible types are "doNotUse", "forbidFetching",
1.204 + "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
1.205 + </simpara>
1.206 + </listitem>
1.207 + </varlistentry>
1.208 + </variablelist>
1.209 + </refsection>
1.210 +
1.211 +<!-- don't change -->
1.212 + <refsection id="resources">
1.213 + <title>Additional Resources</title>
1.214 + <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
1.215 + <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
1.216 + <para>IRC: Freenode at #dogtag-pki</para>
1.217 + </refsection>
1.218 +
1.219 +<!-- fill in your name first; keep the other names for reference -->
1.220 + <refsection id="authors">
1.221 + <title>Authors</title>
1.222 + <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
1.223 + <para>
1.224 + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
1.225 + </para>
1.226 + </refsection>
1.227 +
1.228 +<!-- don't change -->
1.229 + <refsection id="license">
1.230 + <title>LICENSE</title>
1.231 + <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
1.232 + </para>
1.233 + </refsection>
1.234 +
1.235 +</refentry>
