michael@0: michael@0: NAME michael@0: symkeyutil - manage fixed keys in the database michael@0: michael@0: SYNOPSIS michael@0: symkeyutil -H michael@0: symkeyutil -L [std_opts] [-r] michael@0: symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts] michael@0: symkeyutil -D <[-n name | -i id | -j id_file> [std_opts] michael@0: symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts] michael@0: symkeyutil -E <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts] michael@0: symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts] michael@0: symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts] michael@0: symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts] michael@0: std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token] michael@0: wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file> michael@0: michael@0: DESCRIPTION michael@0: michael@0: NSS can store fixed keys as well as asymetric keys in the database. The michael@0: symkeyutil command can be used to manage these keys. michael@0: michael@0: As with certutil, symkeyutil takes two types of arguments, commands and michael@0: options. Most commands fall into one of two catagories: commands which michael@0: create keys and commands which extract or destroy keys. michael@0: michael@0: Exceptions to these catagories are listed first: michael@0: michael@0: -H takes no additional options. It lists a more detailed help message. michael@0: -L takes the standard set of options. It lists all the keys in the michael@0: specified token (NSS Internal DB Token is the default). Only the michael@0: -L option accepts the all option for tokens to list all the fixed michael@0: keys. michael@0: michael@0: Key Creation commands: michael@0: For these commands, the key type (-t) option is always required. michael@0: In addition, the -s option may be required for certain key types. michael@0: The standard set of options may be specified. michael@0: michael@0: -K Create a new key using the token key gen function. michael@0: -I Import a new key from the raw data specified in the data file, michael@0: specified with the -k options (required). This command may fail on michael@0: some tokens that don't support direct import of key material. michael@0: -U Unwrap a new key from an encrypted data file specified with the -k michael@0: option. The -w, -x, or -y option specifies the unwrapping key. michael@0: The unwrapping algorithm is selected based on the type of the michael@0: unwrapping key. michael@0: michael@0: Key extraction/destruction options: michael@0: For these keys, one and only of of the -n, -i, or -j options must be michael@0: specified. If more than one key matches the -n option, the 'first' key michael@0: matching will be used. The standard set of options may be specified. michael@0: michael@0: -D Delete the key specified by the -n, -i, or -j options. michael@0: -E Export the key specified by the -n, -i, or -j options and store the michael@0: contents to a file specified by the -k file (required). michael@0: This command will seldom work on any token since most keys are michael@0: protected from export. michael@0: -W Wrap the key specified by the -n, -i, or -j options and store the michael@0: encrypted contents to a file specified by the -k file (required). michael@0: The -w, -x, or -y option specifies the key used to wrap the michael@0: target key. michael@0: -M Move the key specified by the -n, -i, or -j options to the token michael@0: specified by the -g option (required). The new key will have the michael@0: same attributes as the source key. michael@0: michael@0: OPTIONS michael@0: michael@0: Standard options are those options that may be used by any command, and michael@0: whose meaning is the same for all commands. michael@0: michael@0: -h token Specify the token which the command will operate on. michael@0: If -h is not specified the internal token is presumed. In michael@0: addition the special value 'all' may be used to specify michael@0: that all tokens should be used. This is only valid for michael@0: the '-L' command. michael@0: -d certdir Specify the location of the NSS databases. The default michael@0: value is platform dependent. michael@0: -P dbprefix Specify the prefix for the NSS database. The default value michael@0: is NULL. michael@0: -p password Specify the password for the token. On the command line. michael@0: The -p and -f options are mutually exclusive. If michael@0: neither option is specified, the password would be michael@0: prompted from the user. michael@0: -f passwordFile Specify a file that contains the password for the token. michael@0: This option is mutually exclusive to the -p option. michael@0: michael@0: In addition to the standard options are the following command specific michael@0: options are. michael@0: michael@0: -r Opens the NSS databases Read/Write. By default the -L, michael@0: -E, and -W commands open the database read only. Other michael@0: commands automatically opens the databases Read/Write and michael@0: igore this option if it is specified. michael@0: michael@0: -n name Specifies the nickname for the key. michael@0: michael@0: For the -K, -I, or -U options, name is the name for michael@0: the new key. If -n is not specified, no name is michael@0: assumed. There is not check for duplicate names. michael@0: michael@0: For the -D, -E, -W, or -M, the name specifies the key to michael@0: operate on. In this case one andy only one of the -n, -i michael@0: or -j options should be specifed. It is possible that michael@0: the -n options specifies and ambiguous key. In that case michael@0: the 'first' valid key is used. michael@0: michael@0: For the -M option, the nickname for the new key is copied michael@0: from it's original key, even if the original key is michael@0: specified using -i or -j. michael@0: michael@0: -i key id michael@0: -j key id file These options are equivalent and mutually exclusive. michael@0: They specify the key id for the file. The -i option michael@0: specifies the key id on the command line using a hex michael@0: string. The -j specifies a file to read the raw key michael@0: id from. michael@0: michael@0: For the -K, -I, or -U options, key id is the key id for michael@0: the new key. If -i or -j is not specified, no key id michael@0: is assumed. Some tokens may generate their own unique michael@0: id for the key in this case (but it is not guarrenteed). michael@0: michael@0: For the -D, -E, -W, or -M, the key id specifies the key to michael@0: operate on. In this case one andy only one of the -n, -i michael@0: or -j options should be specifed. michael@0: michael@0: -t type Specifies the key Type for the new key. This option is michael@0: required for the -K, -I, and -U commands. Valid values michael@0: are: michael@0: generic, rc2, rc4, des, des2, des3, cast, cast3, michael@0: cast5, cast128, rc5, idea, skipjack, baton, juniper, michael@0: cdmf, aes, camellia michael@0: michael@0: Not all tokens support all key types. The generic key michael@0: type is usually used in MACing and key derivation michael@0: algorithms. Neither generic nor rc4 keys may be used michael@0: to wrap other keys. Fixed rc4 keys are dangerous since michael@0: multiple use of the same stream cipher key to encrypted michael@0: different data can compromise all data encrypted with michael@0: that key. michael@0: michael@0: -s size Specifies the key size. For most situations the key size michael@0: is already known and need not be specified. For some michael@0: algorithms, however, it is necessary to specify the key michael@0: size when generation or unwrapping the key. michael@0: michael@0: -k key file Specifies the name of a file that contains key data to michael@0: import or unwrap (-I or -U), or the location to store michael@0: key data or encrypted key data (-E or -W). michael@0: michael@0: -g target token Specifies the target token when moving a key (-M). This michael@0: option is required for the -M command. It is invalid for michael@0: all other commands. michael@0: michael@0: michael@0: michael@0: -w wrap name michael@0: -x wrap key id michael@0: -y wrap key id file Specifies the wrapping key used int the -U and -W michael@0: command. Exactly one of these must be specified for the michael@0: -U or -W commands. Same semantics as the -n, -i, and -j michael@0: options above. michael@0: michael@0: BUGS michael@0: michael@0: There is no way display the key id of a key. michael@0: michael@0: The -p and -f options only specifies one password. Multiple passwords may michael@0: be needed for the -L -h all command and the -M command. michael@0: michael@0: Perhaps RC4 should not be supported as a key type. Use of these keys as michael@0: fixed keys is exceedingly dangerous. michael@0: michael@0: The handling of multiple keys with the same nickname should be more michael@0: deterministic than 'the first one' michael@0: michael@0: There is no way to specify, or display the operation flags of a key. The michael@0: operation flags are not copied with the -M option as they should be. michael@0: michael@0: There is no way to change the attributes of a key (nickname, id, operation michael@0: flags).