diff -r 000000000000 -r 6474c204b198 security/nss/cmd/modutil/pk11jar.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/nss/cmd/modutil/pk11jar.html Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,279 @@ + + + +PKCS #11 JAR Format + + +

PKCS #11 JAR Format

+ +

PKCS #11 modules can be packaged into JAR files that support automatic +installation onto the filesystem and into the security module database. +The JAR file should contain: +

All files that will be installed onto the target machine. This will +include at least the PKCS #11 module library file (.DLL or .so), and +may also include any other file that should be installed (such as +documentation). +
A script to perform the installation. +

+The script can be in one of two forms. If the JAR file is to be +run by Communicator (or any program that interprets Javascript), the +instructions will be in the form of a SmartUpdate script. +Documentation + on creating this script can be found on DevEdge. + +

If the +JAR file is to be run by a server, modutil, or any other program that +doesn't interpret Javascript, a special information file must be included +in the format described in this document. + +

Declaring the Script in the Manifest File

+The script can have any name, but it must be declared in the manifest file +of the JAR archive. The metainfo tag for this is +Pkcs11_install_script. Meta-information is put in the manifest +file by putting it in a file which is passed to +Signtool. For example, +suppose the PKCS #11 installer script is in the file pk11install. +In Signtool's metainfo file, you would have a line like this: +

++ Pkcs11_install_script: pk11install
+

+ +

Sample Script File

+ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc }
+Platforms {
+	WINNT::x86 {
+		ModuleName { "Fortezza Module" }
+		ModuleFile { win32/fort32.dll }
+		DefaultMechanismFlags{0x0001}
+		DefaultCipherFlags{0x0001}
+		Files {
+			win32/setup.exe {
+				Executable
+				RelativePath { %temp%/setup.exe }
+			}
+			win32/setup.hlp {
+				RelativePath { %temp%/setup.hlp }
+			}
+			win32/setup.cab {
+				RelativePath { %temp%/setup.cab }
+			}
+		}
+	}
+	WIN95::x86 {
+		EquivalentPlatform {WINNT::x86}
+	}
+	Solaris:5.5.1:sparc {
+		ModuleName { "Fortezza UNIX Module" }
+		ModuleFile { unix/fort.so }
+		DefaultMechanismFlags{0x0001}
+		CipherEnableFlags{0x0001}
+		Files {
+			unix/fort.so {
+				RelativePath{%root%/lib/fort.so}
+				AbsolutePath{/usr/local/netscape/lib/fort.so}
+				FilePermissions{555}
+			}
+			xplat/instr.html {
+				RelativePath{%root%/docs/inst.html}
+				AbsolutePath{/usr/local/netscape/docs/inst.html}
+				FilePermissions{555}
+			}
+		}
+	}
+	IRIX:6.2:mips {
+		EquivalentPlatform { Solaris:5.5.1:sparc }
+	}
+}
+

+ +

Script File Grammar

+--> valuelist
+
+valuelist --> value valuelist
+              <null>
+
+value --> key_value_pair
+          string
+
+key_value_pair --> key { valuelist }
+
+key --> string
+
+string --> simple_string
+           "complex_string"
+
+simple_string --> [^ \t\n\""{""}"]+ (no whitespace, quotes, or braces)
+
+complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ (quotes and backslashes must be escaped with a backslash, no newlines or carriage returns are allowed in the string)
+

+Outside of complex strings, all whitespace (space, tab, newline) is considered +equal and is used only to delimit tokens. + +

+ +

Keys

+Keys are case-insensitive. +

Global Keys

ForwardCompatible +

Gives a list of platforms that are forward compatible. If the current +platform cannot be found in the list of supported platforms, then the +ForwardCompatible list will be checked for any platforms that have the same +OS and architecture and an earlier version. If one is found, its +attributes will be used for the current platform. +

Platforms (required) +

Gives a list of platforms. Each entry in the list is itself a key-value +pair: +the key is the name of the platform, and the valuelist contains various +attributes of the platform. The ModuleName, ModuleFile, and Files attributes +must be specified, unless an EquivalentPlatform attribute is specified. +The platform string is in the following +format: system name:os release:architecture. The installer +will obtain these values from NSPR. os release is an empty +string on non-UNIX operating systems. The following system names and platforms +are currently defined by NSPR:


+AIX (rs6000)
+
BSDI (x86)
+
FREEBSD (x86)
+
HPUX (hppa1.1)
+
IRIX (mips)
+
LINUX (ppc, alpha, x86)
+

MacOS (PowerPC) (Note: NSPR actually defines the OS as +"Mac OS". The +space makes the name unsuitable for being embedded in identifiers. Until +NSPR changes, you will have to add some special code to deal with this case. +)+
NCR (x86) +
NEC (mips) +
OS2 (x86) +
OSF (alpha) +
ReliantUNIX (mips) +
SCO (x86) +
SOLARIS (sparc) +
SONY (mips) +
SUNOS (sparc) +
UnixWare (x86) +
WIN95 (x86) +
WINNT (x86) +

+Examples of valid platform strings:

IRIX:6.2:mips, Solaris:5.5.1:sparc,
+Linux:2.0.32:x86, WIN95::x86

. +

+ +

Per-Platform Keys

+These keys only have meaning within the value list of an entry in +the Platforms list. +

ModuleName (required) +

Gives the common name for the module. This name will be used to +reference the module from Communicator, modutil, servers, or any other +program that uses the Netscape security module database. +

ModuleFile (required) +

Names the PKCS #11 module file (DLL or .so) for this platform. The name +is given as the relative path of the file within the JAR archive. +

Files (required) +

Lists the files that should be installed for this module. Each entry +in the file list is a key-value pair: the key is the path of the file in +the JAR archive, and +the valuelist contains attributes of the file. At least RelativePath and +AbsoluteDir must be specified in this valuelist. +

DefaultMechanismFlags +

This key-value pair specifies +of which mechanisms this module will be a default provider. It is a bitstring +specified in hexadecimal (0x) format. It is constructed as a bitwise OR +of the following constants. If the DefaultMechanismFlags +entry is omitted, the value will default to 0x0. +

+RSA:			0x0000 0001
+DSA:			0x0000 0002
+RC2:			0x0000 0004
+RC4:			0x0000 0008
+DES:			0x0000 0010
+DH:			0x0000 0020
+FORTEZZA:		0x0000 0040
+RC5:			0x0000 0080
+SHA1:			0x0000 0100
+MD5:			0x0000 0200
+MD2:			0x0000 0400
+RANDOM:			0x0800 0000
+FRIENDLY:		0x1000 0000
+OWN_PW_DEFAULTS:	0x2000 0000
+DISABLE:		0x4000 0000
+

CipherEnableFlags +

This key-value pair specifies +which SSL ciphers will be enabled. It is a bitstring specified in +hexadecimal (0x) format. It is constructed as a bitwise OR of the following +constants. If the CipherEnableFlags entry is omitted, the +value will default to 0x0. +

+FORTEZZA:		0x0000 0001
+

EquivalentPlatform +

Specifies that the attributes of the named platform should also be used +for the current platform. Saves typing when there is more than one platform +that uses the same settings. +

+ +

Per-File Keys

+These keys only have meaning within the valuelist of an entry in a +Files list. At least one of RelativePath and +AbsolutePath must be specified. If both are specified, the +relative path will be tried first and the absolute path used only if no +relative root directory is provided by the installer program. +

RelativePath +

Specifies the destination directory of the file, relative to some directory +decided at install-time. Two variables can be used in the relative +path, "%root%" and "%temp%". "%root%" will be replaced at run-time with +the directory relative to which files should be installed; for +example, it may be the server's root directory or Communicator's root +directory. "%temp%" is a directory that will be created at the beginning +of the installation and destroyed at the end of the installation. Its purpose +is to hold executable files (such as setup programs), or files that are +used by these programs. For example, a Windows installation might consist +of a setup.exe installation program, a help file, and a .cab file +containing compressed information. All these files could be installed into the +temporary directory. Files destined for the temporary directory are guaranteed +to be in place before any executable file is run, and will not be deleted +until all executable files have finished. +

AbsoluteDir +

Specifies the destination directory of the file as an absolute path. +This will only be used if the installer is unable to determine a +relative directory. +

Executable +

This string specifies that the file is to be executed during the +course of the +installation. Typically this would be used for a setup program provided +by a module vendor, such as a self-extracting setup.exe. +More than one file can be specified as executable, in which case they will +be run in the order they are specified in the script file. +

FilePermissions +

This string is interpreted as a string of octal digits, according to the +standard UNIX format. It is a bitwise OR of the following constants: +

+user read:         400
+user write:        200
+user execute:      100
+group read:        040
+group write:       020
+group execute:     010
+other read:        004
+other write:       002
+other execute:     001
+

+Some platforms may not understand these permissions. They will only be +applied insofar as makes sense for the current platform. If this attribute +is omitted, a default of 777 is assumed. + + +