NSS Security Tools

michael@0: michael@0: michael@0: michael@0: ]> michael@0: michael@0: michael@0: michael@0: michael@0: &date; michael@0: NSS Security Tools michael@0: nss-tools michael@0: &version; michael@0: michael@0: michael@0: michael@0: CMSUTIL michael@0: 1 michael@0: michael@0: michael@0: michael@0: cmsutil michael@0: Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. michael@0: michael@0: michael@0: michael@0: michael@0: cmsutil michael@0: options michael@0: [arguments] michael@0: michael@0: michael@0: michael@0: michael@0: STATUS michael@0: This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 michael@0: michael@0: michael@0: michael@0: michael@0: Description michael@0: michael@0: The cmsutil command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. michael@0: michael@0: michael@0: To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. michael@0: Each command takes one option. Each option may take zero or more arguments. michael@0: To see a usage string, issue the command without options. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Options and Arguments michael@0: michael@0: michael@0: Options michael@0: michael@0: Options specify an action. Option arguments modify an action. michael@0: The options and arguments for the cmsutil command are defined as follows: michael@0: michael@0: michael@0: michael@0: -C michael@0: Encrypt a message. michael@0: michael@0: michael@0: michael@0: -D michael@0: Decode a message. michael@0: michael@0: michael@0: michael@0: -E michael@0: Envelope a message. michael@0: michael@0: michael@0: michael@0: -O michael@0: Create a certificates-only message. michael@0: michael@0: michael@0: michael@0: -S michael@0: Sign a message. michael@0: michael@0: michael@0: michael@0: michael@0: Arguments michael@0: Option arguments modify an action. michael@0: michael@0: michael@0: -b michael@0: michael@0: Decode a batch of files named in infile. michael@0: michael@0: michael@0: michael@0: michael@0: -c content michael@0: michael@0: Use this detached content (decode only). michael@0: michael@0: michael@0: michael@0: michael@0: -d dbdir michael@0: michael@0: Specify the key/certificate database directory (default is ".") michael@0: michael@0: michael@0: michael@0: michael@0: -e envfile michael@0: michael@0: Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only). michael@0: michael@0: michael@0: michael@0: michael@0: -f pwfile michael@0: michael@0: Use password file to set password on all PKCS#11 tokens. michael@0: michael@0: michael@0: michael@0: michael@0: -G michael@0: michael@0: Include a signing time attribute (sign only). michael@0: michael@0: michael@0: michael@0: michael@0: -H hash michael@0: michael@0: Use specified hash algorithm (default:SHA1). michael@0: michael@0: michael@0: michael@0: michael@0: -h num michael@0: michael@0: Generate email headers with info about CMS message (decode only). michael@0: michael@0: michael@0: michael@0: michael@0: -i infile michael@0: michael@0: Use infile as a source of data (default is stdin). michael@0: michael@0: michael@0: michael@0: michael@0: -k michael@0: michael@0: Keep decoded encryption certs in permanent cert db. michael@0: michael@0: michael@0: michael@0: michael@0: -N nickname michael@0: michael@0: Specify nickname of certificate to sign with (sign only). michael@0: michael@0: michael@0: michael@0: michael@0: -n michael@0: michael@0: Suppress output of contents (decode only). michael@0: michael@0: michael@0: michael@0: michael@0: -o outfile michael@0: michael@0: Use outfile as a destination of data (default is stdout). michael@0: michael@0: michael@0: michael@0: michael@0: -P michael@0: michael@0: Include an S/MIME capabilities attribute. michael@0: michael@0: michael@0: michael@0: michael@0: -p password michael@0: michael@0: Use password as key database password. michael@0: michael@0: michael@0: michael@0: michael@0: -r recipient1,recipient2, ... michael@0: michael@0: michael@0: Specify list of recipients (email addresses) for an encrypted or enveloped message. michael@0: For certificates-only message, list of certificates to send. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: -T michael@0: michael@0: Suppress content in CMS message (sign only). michael@0: michael@0: michael@0: michael@0: michael@0: -u certusage michael@0: michael@0: Set type of cert usage (default is certUsageEmailSigner). michael@0: michael@0: michael@0: michael@0: michael@0: -v michael@0: michael@0: Print debugging information. michael@0: michael@0: michael@0: michael@0: michael@0: -Y ekprefnick michael@0: michael@0: Specify an encryption key preference by nickname. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Usage michael@0: Encrypt Example michael@0: michael@0: cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile michael@0: michael@0: michael@0: Decode Example michael@0: michael@0: cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num] michael@0: michael@0: michael@0: Envelope Example michael@0: michael@0: cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..." michael@0: michael@0: michael@0: Certificate-only Example michael@0: michael@0: cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." michael@0: michael@0: michael@0: Sign Message Example michael@0: michael@0: cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: See also michael@0: certutil(1) michael@0: michael@0: michael@0: michael@0: michael@0: Additional Resources michael@0: For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. michael@0: Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto michael@0: IRC: Freenode at #dogtag-pki michael@0: michael@0: michael@0: michael@0: michael@0: Authors michael@0: The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. michael@0: michael@0: Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: LICENSE michael@0: Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: michael@0: michael@0: