NSS Security Tools

michael@0: michael@0: michael@0: michael@0: ]> michael@0: michael@0: michael@0: michael@0: michael@0: &date; michael@0: NSS Security Tools michael@0: nss-tools michael@0: &version; michael@0: michael@0: michael@0: michael@0: SIGNVER michael@0: 1 michael@0: michael@0: michael@0: michael@0: signver michael@0: Verify a detached PKCS#7 signature for a file. michael@0: michael@0: michael@0: michael@0: michael@0: signtool michael@0: michael@0: -A michael@0: -V michael@0: michael@0: -d directory michael@0: -a michael@0: -i input_file michael@0: -o output_file michael@0: -s signature_file michael@0: -v michael@0: michael@0: michael@0: michael@0: michael@0: STATUS michael@0: This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 michael@0: michael@0: michael@0: michael@0: michael@0: Description michael@0: michael@0: The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object. michael@0: michael@0: michael@0: michael@0: Options michael@0: michael@0: michael@0: -A michael@0: Displays all of the information in the PKCS#7 signature. michael@0: michael@0: michael@0: -V michael@0: Verifies the digital signature. michael@0: michael@0: michael@0: -d [sql:]directory michael@0: Specify the database directory which contains the certificates and keys. michael@0: signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. michael@0: michael@0: michael@0: -a michael@0: Sets that the given signature file is in ASCII format. michael@0: michael@0: michael@0: -i input_file michael@0: Gives the input file for the object with signed data. michael@0: michael@0: michael@0: -o output_file michael@0: Gives the output file to which to write the results. michael@0: michael@0: michael@0: -s signature_file michael@0: Gives the input file for the digital signature. michael@0: michael@0: michael@0: -v michael@0: Enables verbose output. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Extended Examples michael@0: Verifying a Signature michael@0: The option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file). michael@0: signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb michael@0: michael@0: signatureValid=yes michael@0: michael@0: michael@0: Printing Signature Data michael@0: michael@0: The option prints all of the information contained in a signature file. Using the option prints the signature file information to the given output file rather than stdout. michael@0: michael@0: signver -A -s signature_file -o output_file michael@0: michael@0: michael@0: michael@0: NSS Database Types michael@0: NSS originally used BerkeleyDB databases to store security information. michael@0: The last versions of these legacy databases are: michael@0: michael@0: michael@0: michael@0: cert8.db for certificates michael@0: michael@0: michael@0: michael@0: michael@0: key3.db for keys michael@0: michael@0: michael@0: michael@0: michael@0: secmod.db for PKCS #11 module information michael@0: michael@0: michael@0: michael@0: michael@0: BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has michael@0: some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS michael@0: requires more flexibility to provide a truly shared security database. michael@0: michael@0: In 2009, NSS introduced a new set of databases that are SQLite databases rather than michael@0: BerkleyDB. These new databases provide more accessibility and performance: michael@0: michael@0: michael@0: michael@0: cert9.db for certificates michael@0: michael@0: michael@0: michael@0: michael@0: key4.db for keys michael@0: michael@0: michael@0: michael@0: michael@0: pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory michael@0: michael@0: michael@0: michael@0: michael@0: Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. michael@0: michael@0: By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. michael@0: Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: michael@0: michael@0: # signver -A -s signature -d sql:/home/my/sharednssdb michael@0: michael@0: To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: michael@0: export NSS_DEFAULT_DB_TYPE="sql" michael@0: michael@0: This line can be added to the ~/.bashrc file to make the change permanent for the user. michael@0: michael@0: Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: michael@0: michael@0: michael@0: michael@0: https://wiki.mozilla.org/NSS_Shared_DB_Howto michael@0: michael@0: michael@0: For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: michael@0: michael@0: michael@0: michael@0: https://wiki.mozilla.org/NSS_Shared_DB michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: See Also michael@0: signtool (1) michael@0: michael@0: The NSS wiki has information on the new database design and how to configure applications to use it. michael@0: michael@0: michael@0: Setting up the shared NSS database michael@0: https://wiki.mozilla.org/NSS_Shared_DB_Howto michael@0: michael@0: michael@0: michael@0: Engineering and technical information about the shared NSS database michael@0: michael@0: michael@0: https://wiki.mozilla.org/NSS_Shared_DB michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: Additional Resources michael@0: For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. michael@0: Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto michael@0: IRC: Freenode at #dogtag-pki michael@0: michael@0: michael@0: michael@0: michael@0: Authors michael@0: The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. michael@0: michael@0: Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. michael@0: michael@0: michael@0: michael@0: michael@0: michael@0: LICENSE michael@0: Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. michael@0: michael@0: michael@0: michael@0: