diff -r 000000000000 -r 6474c204b198 security/nss/cmd/modutil/specification.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/security/nss/cmd/modutil/specification.html Wed Dec 31 06:09:35 2014 +0100 @@ -0,0 +1,322 @@ + + + +Modutil Specification + + +

PKCS #11 Module Management Utility +
Specification

+ + + + +

Capabilities

+ + +
+ + + + +

Usage

+modutil [command] [options] +

At most one command can be specified. With no arguments, +modutil prints a usage message. +

Commands:

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CommandDescription
+-add module name -libfile library file + [-ciphers cipher enable list] + [-mechanisms default mechanism list] +Adds a new module to the database with the given name. + +

library file is the path of the DLL or other library file +containing the module's implementation of the PKCS #11 interface. + +

cipher enable flags is a colon-separated list of ciphers +that will be enabled on this module. The list should be enclosed within quotes +if necessary to prevent shell interpretation. The following ciphers are +currently available: +

    +
  • FORTEZZA +
+ +

default mechanism flags is a colon-separated list of +mechanisms for which this module should be the default provider. The +list should be enclosed within quotes if necessary to prevent shell +interpretation. This +list does not enable the mechanisms; it only specifies that this module +will be a default provider for the listed mechanisms. If more than +one module claims to be a default provider for a given mechanism, it is +undefined which will actually be chosen to provide that mechanism. The +following mechanisms are currently available: +

    +
  • RSA +
  • DSA +
  • RC2 +
  • RC4 +
  • RC5 +
  • DES +
  • DH +
  • FORTEZZA +
  • SHA1 +
  • MD5 +
  • MD2 +
  • RANDOM (random number generation) +
  • FRIENDLY (certificates are publicly-readable) +
+
-changepw token name +[-pwfile old password file] +[-newpwfile new password file]Changes the password on the named token. If the token has not been +initialized, this command will initialize the PIN. +If a password file is given, the password will be read from that file; +otherwise, the password will be obtained interactively. +Storing passwords in a file is much less secure than supplying them +interactively. +

The password on the Netscape internal module cannot be changed if +the -nocertdb option is specified. +

-createCreates a new secmod[ule].db, key3.db, and cert7.db in the directory +specified with the +-dbdir option, if one is specified. If no directory is +specified, UNIX systems will use the user's .netscape directory, while other +systems will return with an error message. If any of these databases already +exist in the chosen directory, an error message is returned. +

If used with -nocertdb, only secmod[ule].db will be created; +cert7.db and key3.db will not be created. +

-default module name +-mechanisms mechanism list +Specifies that the given module will be a default provider of the +listed mechanisms. The mechanism list is the same as in the -add +command. +
-delete module nameDeletes the named module from the database
-disable module name +[-slot slot name]Disables the named slot. If no slot is specified, all slots on +the module are disabled.
-enable module name +[-slot slot name]Enables the named slot. If no slot is specified, all slots on +the module are enabled.
-fips [true | false]Enables or disables FIPS mode on the internal module. Passing +true enables FIPS mode, passing false disables +FIPS mode.
-forceDisables interactive prompts, so modutil can be run in a script. +Should only be used by experts, since the prompts may relate to security +or database integrity. Before using this option, test the command +interactively once to see the warnings that are produced.
-jar JAR file +-installdir root installation directory +[-tempdir temporary directory]Adds a new module from the given JAR file. The JAR file uses the +server PKCS #11 JAR format to describe the names of +any files that need to be installed, the name of the module, mechanism flags, +and cipher flags. The root installation directory +is the directory relative to which files will be installed. This should be a + directory +under which it would be natural to store dynamic library files, such as +a server's root directory, or Communicator's root directory. +The temporary directory is where temporary modutil files +will be created in the course of the installation. If no temporary directory +is specified, the current directory will be used. +

If used with the -nocertdb option, the signatures on the JAR +file will not be checked.

-list [module name]Without an argument, lists the PKCS #11 modules present in the module +database. +
+
+% modutil -list
+Using database directory /u/nicolson/.netscape...
+
+Listing of PKCS #11 Modules
+-----------------------------------------------------------
+  1. Netscape Internal PKCS #11 Module
+         slots: 2 slots attached
+        status: loaded
+
+         slot: Communicator Internal Cryptographic Services Version 4.0
+        token: Communicator Generic Crypto Svcs
+
+         slot: Communicator User Private Key and Certificate Services
+        token: Communicator Certificate DB
+-----------------------------------------------------------
+
+
+

With an argument, provides a detailed description of the named module +and its slots and tokens. +

+
+% modutil -list "Netscape Internal PKCS #11 Module"
+Using database directory /u/nicolson/.netscape...
+
+-----------------------------------------------------------
+Name: Netscape Internal PKCS #11 Module
+Library file: **Internal ONLY module**
+Manufacturer: Netscape Communications Corp    
+Description: Communicator Internal Crypto Svc
+PKCS #11 Version 2.0
+Library Version: 4.0
+Cipher Enable Flags: None
+Default Mechanism Flags: RSA:DSA:RC2:RC4:DES:SHA1:MD5:MD2
+
+  Slot: Communicator Internal Cryptographic Services Version 4.0
+  Manufacturer: Netscape Communications Corp    
+  Type: Software
+  Version Number: 4.1
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: Communicator Generic Crypto Svcs
+  Token Manufacturer: Netscape Communications Corp    
+  Token Model: Libsec 4.0      
+  Token Serial Number: 0000000000000000
+  Token Version: 4.0
+  Token Firmware Version: 0.0
+  Access: Write Protected
+  Login Type: Public (no login required)
+  User Pin: NOT Initialized
+
+  Slot: Communicator User Private Key and Certificate Services
+  Manufacturer: Netscape Communications Corp    
+  Type: Software
+  Version Number: 3.0
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: Communicator Certificate DB     
+  Token Manufacturer: Netscape Communications Corp    
+  Token Model: Libsec 4.0      
+  Token Serial Number: 0000000000000000
+  Token Version: 7.0
+  Token Firmware Version: 0.0
+  Access: NOT Write Protected
+  Login Type: Login required
+  User Pin: Initialized
+
+-----------------------------------------------------------
+
+
+
-undefault module name +-mechanisms mechanism listSpecifies that the given module will NOT be a default provider of +the listed mechanisms. This command clears the default mechanism flags +for the given module.
+ + + + +

Options:

+ + + + + + + + + + + + + + + +
OptionDescription
-dbdir directorySpecifies which directory holds the module database. On UNIX systems, +the user's netscape directory is the default. On other systems, there is +no default, and this option must be used.
-nocertdbDo not open the certificate or key databases. This has several effects. +With the -create command, this means that only a secmod.db file +will be created; cert7.db and key3.db will not be created. With the +-jar command, signatures on the JAR file will not be checked. +With the -changepw command, the password on the Netscape internal +module cannot be set or changed, since this password is stored in key3.db. +
+ + +