security/nss/cmd/modutil/pk11jar.html@7e26c7da4463
security/nss/cmd/modutil/pk11jar.html
Wed, 31 Dec 2014 06:55:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:55:50 +0100
- changeset 2
- 7e26c7da4463
- permissions
- -rw-r--r--
Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2
1 <html>
2 <!-- This Source Code Form is subject to the terms of the Mozilla Public
3 - License, v. 2.0. If a copy of the MPL was not distributed with this
4 - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
5 <head>
6 <title>PKCS #11 JAR Format</title>
7 </head>
8 <body bgcolor=white text=black link=blue vlink=purple alink=red>
9 <center><h1>PKCS #11 JAR Format</h1></center>
11 <p>PKCS #11 modules can be packaged into JAR files that support automatic
12 installation onto the filesystem and into the security module database.
13 The JAR file should contain:
14 <ul>
15 <li>All files that will be installed onto the target machine. This will
16 include at least the PKCS #11 module library file (.DLL or .so), and
17 may also include any other file that should be installed (such as
18 documentation).
19 <li>A script to perform the installation.
20 </ul>
21 The script can be in one of two forms. If the JAR file is to be
22 run by Communicator (or any program that interprets Javascript), the
23 instructions will be in the form of a SmartUpdate script.
24 <a href="http://devedge/library/documentation/security/jmpkcs/">Documentation
25 </a> on creating this script can be found on DevEdge.
27 <p>If the
28 JAR file is to be run by a server, modutil, or any other program that
29 doesn't interpret Javascript, a special information file must be included
30 in the format described in this document.
32 <h2>Declaring the Script in the Manifest File</h2>
33 The script can have any name, but it must be declared in the manifest file
34 of the JAR archive. The metainfo tag for this is
35 <code>Pkcs11_install_script</code>. Meta-information is put in the manifest
36 file by putting it in a file which is passed to
37 <a href="http://developer.netscape.com/software/index_frame.html?content=signedobj/jarpack.html#signtool1.3">Signtool</a>. For example,
38 suppose the PKCS #11 installer script is in the file <code>pk11install</code>.
39 In Signtool's metainfo file, you would have a line like this:
40 <blockquote><pre>
41 + Pkcs11_install_script: pk11install
42 </pre></blockquote>
44 <h2>Sample Script File</h2>
45 <blockquote><pre>
46 ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc }
47 Platforms {
48 WINNT::x86 {
49 ModuleName { "Fortezza Module" }
50 ModuleFile { win32/fort32.dll }
51 DefaultMechanismFlags{0x0001}
52 DefaultCipherFlags{0x0001}
53 Files {
54 win32/setup.exe {
55 Executable
56 RelativePath { %temp%/setup.exe }
57 }
58 win32/setup.hlp {
59 RelativePath { %temp%/setup.hlp }
60 }
61 win32/setup.cab {
62 RelativePath { %temp%/setup.cab }
63 }
64 }
65 }
66 WIN95::x86 {
67 EquivalentPlatform {WINNT::x86}
68 }
69 Solaris:5.5.1:sparc {
70 ModuleName { "Fortezza UNIX Module" }
71 ModuleFile { unix/fort.so }
72 DefaultMechanismFlags{0x0001}
73 CipherEnableFlags{0x0001}
74 Files {
75 unix/fort.so {
76 RelativePath{%root%/lib/fort.so}
77 AbsolutePath{/usr/local/netscape/lib/fort.so}
78 FilePermissions{555}
79 }
80 xplat/instr.html {
81 RelativePath{%root%/docs/inst.html}
82 AbsolutePath{/usr/local/netscape/docs/inst.html}
83 FilePermissions{555}
84 }
85 }
86 }
87 IRIX:6.2:mips {
88 EquivalentPlatform { Solaris:5.5.1:sparc }
89 }
90 }
91 </pre></blockquote>
93 <hr>
95 <h2>Script File Grammar</h2>
96 <blockquote><pre>
97 --> <i>valuelist</i>
99 <i>valuelist</i> --> <i>value</i> <i>valuelist</i>
100 <i> </i> <i><null></i>
102 <i>value</i> --> <i>key_value_pair</i>
103 <i> </i> <i>string</i>
105 <i>key_value_pair</i> --> <i>key</i> { <i>valuelist</i> }
107 <i>key</i> --> <i>string</i>
109 <i>string</i> --> <i>simple_string</i>
110 <i> </i> "<i>complex_string</i>"
112 <i>simple_string</i> --> [^ \t\n\""{""}"]+ <font size=-1><i>(no whitespace, quotes, or braces)</i></font>
114 <i>complex_string</i> --> ([^\"\\\r\n]|(\\\")|(\\\\))+ <font size=-1><i>(quotes and backslashes must be escaped with a backslash, no newlines or carriage returns are allowed in the string)</i></font>
115 </pre></blockquote>
116 Outside of complex strings, all whitespace (space, tab, newline) is considered
117 equal and is used only to delimit tokens.
119 <hr>
121 <h2>Keys</h2>
122 Keys are case-insensitive.
123 <h3>Global Keys</h3>
124 <dl>
125 <dt><code>ForwardCompatible</code>
126 <dd>Gives a list of platforms that are forward compatible. If the current
127 platform cannot be found in the list of supported platforms, then the
128 ForwardCompatible list will be checked for any platforms that have the same
129 OS and architecture and an earlier version. If one is found, its
130 attributes will be used for the current platform.
131 <dt><code>Platforms</code> (<i>required</i>)
132 <dd>Gives a list of platforms. Each entry in the list is itself a key-value
133 pair:
134 the key is the name of the platform, and the valuelist contains various
135 attributes of the platform. The ModuleName, ModuleFile, and Files attributes
136 must be specified, unless an EquivalentPlatform attribute is specified.
137 The platform string is in the following
138 format: <u><i>system name</i></u>:<u><i>os release</i></u>:<u><i>architecture</i></u>. The installer
139 will obtain these values from NSPR. <u><i>os release</i></u> is an empty
140 string on non-UNIX operating systems. The following system names and platforms
141 are currently defined by NSPR:<code>
142 <ul>
143 <li>AIX (rs6000)
144 <li>BSDI (x86)
145 <li>FREEBSD (x86)
146 <li>HPUX (hppa1.1)
147 <li>IRIX (mips)
148 <li>LINUX (ppc, alpha, x86)
149 <li>MacOS (PowerPC) </code>(<i>Note: NSPR actually defines the OS as
150 "</i><code>Mac OS</code><i>". The
151 space makes the name unsuitable for being embedded in identifiers. Until
152 NSPR changes, you will have to add some special code to deal with this case.
153 </i>)<code>
154 <li>NCR (x86)
155 <li>NEC (mips)
156 <li>OS2 (x86)
157 <li>OSF (alpha)
158 <li>ReliantUNIX (mips)
159 <li>SCO (x86)
160 <li>SOLARIS (sparc)
161 <li>SONY (mips)
162 <li>SUNOS (sparc)
163 <li>UnixWare (x86)
164 <li>WIN95 (x86)
165 <li>WINNT (x86)
166 </ul>
167 </code>
168 Examples of valid platform strings: <code>IRIX:6.2:mips, Solaris:5.5.1:sparc,
169 Linux:2.0.32:x86, WIN95::x86</code>.
170 </dl>
172 <h3>Per-Platform Keys</h3>
173 These keys only have meaning within the value list of an entry in
174 the <code>Platforms</code> list.
175 <dl>
176 <dt><code>ModuleName</code> (<i>required</i>)
177 <dd>Gives the common name for the module. This name will be used to
178 reference the module from Communicator, modutil, servers, or any other
179 program that uses the Netscape security module database.
180 <dt><code>ModuleFile</code> (<i>required</i>)
181 <dd>Names the PKCS #11 module file (DLL or .so) for this platform. The name
182 is given as the relative path of the file within the JAR archive.
183 <dt><code>Files</code> (<i>required</i>)
184 <dd>Lists the files that should be installed for this module. Each entry
185 in the file list is a key-value pair: the key is the path of the file in
186 the JAR archive, and
187 the valuelist contains attributes of the file. At least RelativePath and
188 AbsoluteDir must be specified in this valuelist.
189 <dt><code>DefaultMechanismFlags</code>
190 <dd>This key-value pair specifies
191 of which mechanisms this module will be a default provider. It is a bitstring
192 specified in hexadecimal (0x) format. It is constructed as a bitwise OR
193 of the following constants. If the <code>DefaultMechanismFlags</code>
194 entry is omitted, the value will default to 0x0.
195 <blockquote><pre>
196 RSA: 0x0000 0001
197 DSA: 0x0000 0002
198 RC2: 0x0000 0004
199 RC4: 0x0000 0008
200 DES: 0x0000 0010
201 DH: 0x0000 0020
202 FORTEZZA: 0x0000 0040
203 RC5: 0x0000 0080
204 SHA1: 0x0000 0100
205 MD5: 0x0000 0200
206 MD2: 0x0000 0400
207 RANDOM: 0x0800 0000
208 FRIENDLY: 0x1000 0000
209 OWN_PW_DEFAULTS: 0x2000 0000
210 DISABLE: 0x4000 0000
211 </pre></blockquote>
212 <dt><code>CipherEnableFlags</code>
213 <dd>This key-value pair specifies
214 which SSL ciphers will be enabled. It is a bitstring specified in
215 hexadecimal (0x) format. It is constructed as a bitwise OR of the following
216 constants. If the <code>CipherEnableFlags</code> entry is omitted, the
217 value will default to 0x0.
218 <blockquote><pre>
219 FORTEZZA: 0x0000 0001
220 </pre></blockquote>
221 <dt><code>EquivalentPlatform</code>
222 <dd>Specifies that the attributes of the named platform should also be used
223 for the current platform. Saves typing when there is more than one platform
224 that uses the same settings.
225 </dl>
227 <h3>Per-File Keys</h3>
228 These keys only have meaning within the valuelist of an entry in a
229 <code>Files</code> list. At least one of <code>RelativePath</code> and
230 <code>AbsolutePath</code> must be specified. If both are specified, the
231 relative path will be tried first and the absolute path used only if no
232 relative root directory is provided by the installer program.
233 <dl>
234 <dt><code>RelativePath</code>
235 <dd>Specifies the destination directory of the file, relative to some directory
236 decided at install-time. Two variables can be used in the relative
237 path, "%root%" and "%temp%". "%root%" will be replaced at run-time with
238 the directory relative to which files should be installed; for
239 example, it may be the server's root directory or Communicator's root
240 directory. "%temp%" is a directory that will be created at the beginning
241 of the installation and destroyed at the end of the installation. Its purpose
242 is to hold executable files (such as setup programs), or files that are
243 used by these programs. For example, a Windows installation might consist
244 of a <code>setup.exe</code> installation program, a help file, and a .cab file
245 containing compressed information. All these files could be installed into the
246 temporary directory. Files destined for the temporary directory are guaranteed
247 to be in place before any executable file is run, and will not be deleted
248 until all executable files have finished.
249 <dt><code>AbsoluteDir</code>
250 <dd>Specifies the destination directory of the file as an absolute path.
251 This will only be used if the installer is unable to determine a
252 relative directory.
253 <dt><code>Executable</code>
254 <dd>This string specifies that the file is to be executed during the
255 course of the
256 installation. Typically this would be used for a setup program provided
257 by a module vendor, such as a self-extracting <code>setup.exe</code>.
258 More than one file can be specified as executable, in which case they will
259 be run in the order they are specified in the script file.
260 <dt><code>FilePermissions</code>
261 <dd>This string is interpreted as a string of octal digits, according to the
262 standard UNIX format. It is a bitwise OR of the following constants:
263 <blockquote><pre>
264 user read: 400
265 user write: 200
266 user execute: 100
267 group read: 040
268 group write: 020
269 group execute: 010
270 other read: 004
271 other write: 002
272 other execute: 001
273 </pre></blockquote>
274 Some platforms may not understand these permissions. They will only be
275 applied insofar as makes sense for the current platform. If this attribute
276 is omitted, a default of 777 is assumed.
278 </body>
279 </html>
