Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 894337 Details for
Bug 606022
nss security tools lack man pages
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Addresses most of the review comments
manfixes.patch (text/plain), 39.74 KB, created by
Elio Maldonado Batiz
on 2014-05-10 22:36:56 UTC
(
hide
)
Description:
Addresses most of the review comments
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2014-05-10 22:36:56 UTC
Size:
39.74 KB
patch
obsolete
>diff -up ./nss/doc/certutil.xml.cleanup ./nss/doc/certutil.xml >--- ./nss/doc/certutil.xml.cleanup 2014-05-10 13:59:31.790998941 -0700 >+++ ./nss/doc/certutil.xml 2014-05-10 13:59:31.810999105 -0700 >@@ -196,10 +196,10 @@ If this option is not used, the validity > <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para> > <para>NSS recognizes the following prefixes:</para> > <itemizedlist> >- <listitem><para><command>sql: requests the newer database</command></para></listitem> >- <listitem><para><command>dbm: requests the legacy database</command></para></listitem> >+ <listitem><para><command>sql:</command> requests the newer database</para></listitem> >+ <listitem><para><command>dbm:</command> requests the legacy database</para></listitem> > </itemizedlist> >- <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para> >+ <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para> > </listitem> > </varlistentry> > >@@ -222,7 +222,7 @@ If this option is not used, the validity > > <varlistentry> > <term>-g keysize</term> >- <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem> >+ <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem> > </varlistentry> > > >@@ -360,7 +360,7 @@ of the attribute codes: > <para> > The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: > </para> >-<para><command>-t "TCu,Cu,Tuw"</command></para> >+<para><command>-t "TCu,Cu,Tu"</command></para> > <para> > Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </para></listitem> > </varlistentry> >@@ -432,11 +432,11 @@ of the attribute codes: > > <varlistentry> > <term>-1 | --keyUsage keyword,keyword</term> >- <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para> >+ <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para> > <itemizedlist> > <listitem> > <para> >- digital signature >+ digitalSignature > </para> > </listitem> > <listitem> >@@ -498,7 +498,7 @@ of the attribute codes: > > <varlistentry> > <term>-5 | --nsCertType keyword,keyword</term> >- <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> >+ <listitem><para>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> > <itemizedlist> > <listitem> > <para> >diff -up ./nss/doc/cmsutil.xml.cleanup ./nss/doc/cmsutil.xml >--- ./nss/doc/cmsutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/cmsutil.xml 2014-05-10 13:59:31.811999113 -0700 >@@ -62,16 +62,16 @@ The options and arguments for the cmsuti > </para> > <variablelist> > <varlistentry> >- <term>-D </term> >- <listitem><para>Decode a message.</para></listitem> >- </varlistentry> >- >- <varlistentry> > <term>-C</term> > <listitem><para>Encrypt a message.</para></listitem> > </varlistentry> > > <varlistentry> >+ <term>-D </term> >+ <listitem><para>Decode a message.</para></listitem> >+ </varlistentry> >+ >+ <varlistentry> > <term>-E </term> > <listitem><para>Envelope a message.</para></listitem> > </varlistentry> >@@ -267,23 +267,11 @@ cmsutil -S [-i infile] [-o outfile] [-d > > </refsection> > >- <refsection> >+ <refsection id="seealso"> > <title>See also</title> > <para>certutil(1)</para> > </refsection> > >- >- <refsection id="seealso"> >- <title>See Also</title> >- <para></para> >- <para> >- </para> >- <para> >- </para> >- <para> >- </para> >- </refsection> >- > <!-- don't change --> > <refsection id="resources"> > <title>Additional Resources</title> >diff -up ./nss/doc/crlutil.xml.cleanup ./nss/doc/crlutil.xml >--- ./nss/doc/crlutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/crlutil.xml 2014-05-10 13:59:31.811999113 -0700 >@@ -76,15 +76,6 @@ The options and arguments for the crluti > > <variablelist> > <varlistentry> >- <term>-G </term> >- <listitem> >- <para> >-Create new Certificate Revocation List(CRL). >- </para> >- </listitem> >- </varlistentry> >- >- <varlistentry> > <term>-D </term> > <listitem> > <para> >@@ -93,40 +84,38 @@ Delete Certificate Revocation List from > </listitem> > </varlistentry> > >- > <varlistentry> >- <term>-I </term> >+ <term>-E </term> > <listitem> > <para> >-Import a CRL to the cert database >+Erase all CRLs of specified type from the cert database > </para> > </listitem> > </varlistentry> > > <varlistentry> >- <term>-E </term> >+ <term>-G </term> > <listitem> > <para> >-Erase all CRLs of specified type from the cert database >+Create new Certificate Revocation List(CRL). > </para> > </listitem> > </varlistentry> > >- > <varlistentry> >- <term>-L </term> >+ <term>-I </term> > <listitem> > <para> >-List existing CRL located in cert database file. >+Import a CRL to the cert database > </para> > </listitem> > </varlistentry> > > <varlistentry> >- <term>-S </term> >+ <term>-L </term> > <listitem> > <para> >-Show contents of a CRL file which isn't stored in the database. >+List existing CRL located in cert database file. > </para> > </listitem> > </varlistentry> >@@ -141,17 +130,18 @@ Modify existing CRL which can be located > </varlistentry> > > <varlistentry> >- <term>-G </term> >+ <term>-S </term> > <listitem> > <para> >- >+Show contents of a CRL file which isn't stored in the database. > </para> > </listitem> > </varlistentry> >+ > </variablelist> > > <para><command>Arguments</command></para> >- <para>Option arguments modify an action and are lowercase.</para> >+ <para>Option arguments modify an action.</para> > > <variablelist> > >@@ -249,6 +239,15 @@ Specify the output file name for new CRL > </varlistentry> > > <varlistentry> >+ <term>-P dbprefix </term> >+ <listitem> >+ <para> >+Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. >+ </para> >+ </listitem> >+ </varlistentry> >+ >+ <varlistentry> > <term>-t crl-type </term> > <listitem> > <para> >@@ -355,7 +354,7 @@ Implemented Extensions > * Add The Authority Key Identifier extension: > </para> > <para> >- The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. >+The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. > </para> > <para> > authKeyId critical [key-id | dn cert-serial] >@@ -504,21 +503,9 @@ crlutil -G|-M -c crl-gen-file -n nicknam > </programlisting> > </refsection> > >- <refsection> >- <title>See also</title> >- <para>certutil(1)</para> >- </refsection> >- >- > <refsection id="seealso"> > <title>See Also</title> >- <para></para> >- <para> >- </para> >- <para> >- </para> >- <para> >- </para> >+ <para>certutil(1)</para> > </refsection> > > <!-- don't change --> >diff -up ./nss/doc/modutil.xml.cleanup ./nss/doc/modutil.xml >--- ./nss/doc/modutil.xml.cleanup 2014-05-10 13:59:31.797998998 -0700 >+++ ./nss/doc/modutil.xml 2014-05-10 13:59:31.812999121 -0700 >@@ -625,7 +625,8 @@ DISABLE: 0x40000000</progr > <para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para> > <para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para> > >-<programlisting>user read: 0400 >+<programlisting> >+user read: 0400 > user write: 0200 > user execute: 0100 > group read: 0040 >@@ -633,7 +634,8 @@ group write: 0020 > group execute: 0010 > other read: 0004 > other write: 0002 >-other execute: 0001</programlisting> >+other execute: 0001 >+</programlisting> > > <para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para> > </refsection> >@@ -693,7 +695,7 @@ Using the SQLite databases must be manua > <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> > <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> > >-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> >+<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para> > > <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> > <itemizedlist> >diff -up ./nss/doc/pk12util.xml.cleanup ./nss/doc/pk12util.xml >--- ./nss/doc/pk12util.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/pk12util.xml 2014-05-10 14:00:58.191707306 -0700 >@@ -27,16 +27,14 @@ > <refsynopsisdiv> > <cmdsynopsis> > <command>pk12util</command> >- <arg>-i p12File [-h tokenname] [-v] [common-options] </arg> >- <arg> >- -l p12File [-h tokenname] [-r] [common-options] </arg> >- <arg> >- -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg> >- <arg> >- >-common-options are: >-[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] >- </arg> >+ <arg>-i p12File|-l p12File|-o p12File</arg> >+ <arg>-d [sql:]directory</arg> >+ <arg>-h tokenname</arg> >+ <arg>-P dbprefix</arg> >+ <arg>-r</arg> >+ <arg>-v</arg> >+ <arg>-k slotPasswordFile|-K slotPassword</arg> >+ <arg>-w p12filePasswordFile|-W p12filePassword</arg> > </cmdsynopsis> > </refsynopsisdiv> > >@@ -73,22 +71,20 @@ common-options are: > > <para><command>Arguments</command></para> > <variablelist> >- > <varlistentry> >- <term>-n certname</term> >- <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem> >+ <term>-c keyCipher</term> >+ <listitem><para>Specify the key encryption algorithm.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-d [sql:]directory</term> >- <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para> >- <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> >+ <term>-C certCipher</term> >+ <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-P prefix</term> >- <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case. >- Changing the names of the certificate and key databases is not recommended.</para></listitem> >+ <term>-d [sql:]directory</term> >+ <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para> >+ <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> > </varlistentry> > > <varlistentry> >@@ -97,11 +93,6 @@ common-options are: > </varlistentry> > > <varlistentry> >- <term>-v </term> >- <listitem><para>Enable debug logging when importing.</para></listitem> >- </varlistentry> >- >- <varlistentry> > <term>-k slotPasswordFile</term> > <listitem><para>Specify the text file containing the slot's password.</para></listitem> > </varlistentry> >@@ -112,39 +103,46 @@ common-options are: > </varlistentry> > > <varlistentry> >- <term>-w p12filePasswordFile</term> >- <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem> >+ <term>-m | --key-len keyLength</term> >+ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-W p12filePassword</term> >- <listitem><para>Specify the pkcs #12 file password.</para></listitem> >+ <term>-n | --cert-key-len certKeyLength</term> >+ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-c keyCipher</term> >- <listitem><para>Specify the key encryption algorithm.</para></listitem> >+ <term>-n certname</term> >+ <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-C certCipher</term> >- <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem> >+ <term>-P prefix</term> >+ <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case. >+ Changing the names of the certificate and key databases is not recommended.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-m | --key-len keyLength</term> >- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem> >+ <term>-r</term> >+ <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-n | --cert-key-len certKeyLength</term> >- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> >+ <term>-v </term> >+ <listitem><para>Enable debug logging when importing.</para></listitem> > </varlistentry> > > <varlistentry> >- <term>-r</term> >- <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem> >+ <term>-w p12filePasswordFile</term> >+ <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem> >+ </varlistentry> >+ >+ <varlistentry> >+ <term>-W p12filePassword</term> >+ <listitem><para>Specify the pkcs #12 file password.</para></listitem> > </varlistentry> >+ > </variablelist> > </refsection> > >@@ -237,9 +235,12 @@ common-options are: > <para><command>Importing Keys and Certificates</command></para> > <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token). > </para> >-<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> >+ <para> >+ pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] >+ </para> > <para>For example:</para> >-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb >+ <para> </para> >+ <programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb > > Enter a password which will be used to encrypt your keys. > The password should be at least 8 characters long, >@@ -253,18 +254,18 @@ pk12util: PKCS12 IMPORT SUCCESSFUL</prog > <para><command>Exporting Keys and Certificates</command></para> > <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. > </para> >-<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> >+ <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para> > <para>For example:</para> >-<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb >+ <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb > Enter password for PKCS12 file: > Re-enter password: </programlisting> > > <para><command>Listing Keys and Certificates</command></para> > <para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file. > </para> >-<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> >+ <para>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para> > <para>For example, this prints the default ASCII output:</para> >-<programlisting># pk12util -l certs.p12 >+ <programlisting># pk12util -l certs.p12 > > Enter password for PKCS12 file: > Key(shrouded): >@@ -283,9 +284,9 @@ Certificate: > Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C > A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T > own,ST=Western Cape,C=ZA" >-....</programlisting> >+ </programlisting> > <para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para> >-<programlisting># pk12util -l test.p12 -r >+ <programlisting>pk12util -l test.p12 -r > Enter password for PKCS12 file: > Key(shrouded): > Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID >@@ -297,7 +298,8 @@ Key(shrouded): > Iteration Count: 1 (0x1) > Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting > >-Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting> >+Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID >+ </programlisting> > </refsection> > > <refsection id="encryption"> >@@ -309,86 +311,48 @@ Certificate Friendly Name: Thawte Fre > > <varlistentry> > <term>Symmetric CBC ciphers for PKCS#5 V2</term> >- <listitem><para>DES_CBC</para> >- <itemizedlist> >- <listitem> >- <para>RC2-CBC</para> >- </listitem> >- <listitem> >- <para>RC5-CBCPad</para> >- </listitem> >- <listitem> >- <para>DES-EDE3-CBC (the default for key encryption)</para> >- </listitem> >- <listitem> >- <para>AES-128-CBC</para> >- </listitem> >- <listitem> >- <para>AES-192-CBC</para> >- </listitem> >- <listitem> >- <para>AES-256-CBC</para> >- </listitem> >- <listitem> >- <para>CAMELLIA-128-CBC</para> >- </listitem> >- <listitem> >- <para>CAMELLIA-192-CBC</para> >- </listitem> >- <listitem> >- <para>CAMELLIA-256-CBC</para></listitem> >- </itemizedlist> >- </listitem> >+ <listitem> >+ <itemizedlist> >+ <listitem><para>DES-CBC</para></listitem> >+ <listitem><para>RC2-CBC</para></listitem> >+ <listitem><para>RC5-CBCPad</para></listitem> >+ <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem> >+ <listitem><para>AES-128-CBC</para></listitem> >+ <listitem><para>AES-192-CBC</para></listitem> >+ <listitem><para>AES-256-CBC</para></listitem> >+ <listitem><para>CAMELLIA-128-CBC</para></listitem> >+ <listitem><para>CAMELLIA-192-CBC</para></listitem> >+ <listitem><para>CAMELLIA-256-CBC</para></listitem> >+ </itemizedlist> >+ </listitem> > </varlistentry> > > <varlistentry> > <term>PKCS#12 PBE ciphers</term> >- <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para> >- <itemizedlist> >- <listitem> >- <para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para> >- </listitem> >- <listitem> >- <para>PKCS #12 PBE with Sha1 and Triple DES CBC</para> >- </listitem> >- <listitem> >- <para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para> >- </listitem> >- <listitem> >- <para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para> >- </listitem> >- <listitem> >- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem> >- </itemizedlist> >- </listitem> >- </varlistentry> >- >- <varlistentry> >- <term>PKCS#5 PBE ciphers</term> >- <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para> >- <itemizedlist> >- <listitem> >- <para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para> >- </listitem> >- <listitem> >- <para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem> >- </itemizedlist> >- </listitem> >+ <listitem> >+ <itemizedlist> >+ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem> >+ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem> >+ <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem> >+ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem> >+ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem> >+ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem> >+ </itemizedlist> >+ </listitem> >+ </varlistentry> >+ <varlistentry><term>PKCS#5 PBE ciphers</term> >+ <listitem> >+ <itemizedlist> >+ <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem> >+ <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem> >+ <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem> >+ </itemizedlist> >+ </listitem> > </varlistentry> > </variablelist> > <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para> >diff -up ./nss/doc/signtool.xml.cleanup ./nss/doc/signtool.xml >--- ./nss/doc/signtool.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/signtool.xml 2014-05-10 13:59:31.815999146 -0700 >@@ -27,36 +27,37 @@ > <refsynopsisdiv> > <cmdsynopsis> > <command>signtool</command> >- <arg>-k keyName</arg> >+ <arg>[-b basename]</arg> >+ <arg>[-c Compression Level] </arg> >+ <arg>[-d cert-dir] </arg> >+ <arg>[-e extension] </arg> >+ <arg>[-f filename] </arg> >+ <arg>[-i installer script] </arg> > <arg>[-h]</arg> > <arg>[-H]</arg> >- <arg>[-l]</arg> >- <arg>[-L]</arg> >- <arg>[-M]</arg> > <arg>[-v]</arg> > <arg>[-w]</arg> > <arg>[-G nickname]</arg> >+ <arg>[-J]</arg> >+ <arg>[-j directory] </arg> >+ <arg>-k keyName</arg> > <arg>[--keysize | -s size]</arg> >- <arg>[-b basename]</arg> >- <arg>[-c Compression Level] </arg> >- <arg>[-d cert-dir] </arg> >- <arg>[-i installer script] </arg> >+ <arg>[-l]</arg> >+ <arg>[-L]</arg> >+ <arg>[-M]</arg> > <arg>[-m metafile] </arg> >- <arg>[-x name] </arg> >- <arg>[-f filename] </arg> >- <arg>[-t|--token tokenname] </arg> >- <arg>[-e extension] </arg> >+ <arg>[--norecurse] </arg> >+ <arg>[-O] </arg> > <arg>[-o] </arg> >+ <arg>[--outfile] </arg> >+ <arg>[-p password] </arg> >+ <arg>[-t|--token tokenname] </arg> > <arg>[-z] </arg> > <arg>[-X] </arg> >- <arg>[--outfile] </arg> >+ <arg>[-x name] </arg> > <arg>[--verbose value] </arg> >- <arg>[--norecurse] </arg> > <arg>[--leavearc] </arg> >- <arg>[-j directory] </arg> > <arg>[-Z jarfile] </arg> >- <arg>[-O] </arg> >- <arg>[-p password] </arg> > <arg>directory-tree</arg> > <arg>archive</arg> > <!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit --> >@@ -124,10 +125,36 @@ The Unix version of signtool assumes ~/. > </para></listitem> > </varlistentry> > <varlistentry> >+ <term>-G nickname</term> >+ <listitem><para> >+ Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. >+ >+The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. >+ >+Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. >+ >+The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry> > <term>-i scriptname</term> >- <listitem><para> >- Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. >-</para></listitem> >+ <listitem><para> >+Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry> >+ <term>-J</term> >+ <listitem> >+ <para> >+Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. >+ >+The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. >+ >+If the -c# option is not used with the -J option, the default compression value is 6. >+ >+Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages. >+ </para> >+ </listitem> > </varlistentry> > <varlistentry> > <term>-j directory</term> >@@ -149,15 +176,15 @@ It's also possible to use the -k option > </varlistentry> > <varlistentry> > <term>-G nickname</term> >- <listitem><para> >+ <listitem><para> > Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. > > The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. > > Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. > >-The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241. >-</para></listitem> >+The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. >+ </para></listitem> > </varlistentry> > <varlistentry> > <term>-l</term> >diff -up ./nss/doc/signver.xml.cleanup ./nss/doc/signver.xml >--- ./nss/doc/signver.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/signver.xml 2014-05-10 13:59:31.815999146 -0700 >@@ -163,7 +163,7 @@ Using the SQLite databases must be manua > <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> > <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> > >-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> >+<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para> > > <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> > <itemizedlist> >diff -up ./nss/doc/ssltap.xml.cleanup ./nss/doc/ssltap.xml >--- ./nss/doc/ssltap.xml.cleanup 2013-11-09 09:23:30.000000000 -0800 >+++ ./nss/doc/ssltap.xml 2014-05-10 13:59:31.816999154 -0700 >@@ -26,8 +26,8 @@ > > <refsynopsisdiv> > <cmdsynopsis> >- <command>libssltap</command> >- <arg choice="opt">-vhfsxl</arg> >+ <command>ssltap</command> >+ <arg choice="opt">-fhlsvx</arg> > <arg choice="opt">-p port</arg> > <arg choice="opt">hostname:port</arg> > </cmdsynopsis> >@@ -48,8 +48,10 @@ > <title>Options</title> > <variablelist> > <varlistentry> >- <term>-v </term> >- <listitem><para>Print a version string for the tool.</para></listitem> >+ <term>-f </term> >+ <listitem><para> >+Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. >+ </para></listitem> > </varlistentry> > <varlistentry> > <term>-h </term> >@@ -58,34 +60,6 @@ Turn on hex/ASCII printing. Instead of o > </para></listitem> > </varlistentry> > <varlistentry> >- <term>-f </term> >- <listitem><para> >-Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. >- </para></listitem> >- </varlistentry> >- <varlistentry><term>-s </term> >- <listitem> >- <para> >-Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. >- </para> >- <para> >-If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. >- </para> >- <para> >-If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. >- </para> >- </listitem> >- </varlistentry> >- <varlistentry> >- <term>-x </term> >- <listitem> >- <para> >-Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option. >-This option uses the same output format as the -h option. >- </para> >- </listitem> >- </varlistentry> >- <varlistentry> > <term>-l prefix</term> > <listitem> > <para> >@@ -124,6 +98,28 @@ Turn on looping; that is, continue to ac > </para> > </listitem> > </varlistentry> >+ <varlistentry> >+ <term>-s </term> >+ <listitem> >+ <para> >+Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. >+ </para> >+ <para> >+If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. >+ </para> >+ <para> >+If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. >+ </para> >+ </listitem> >+ </varlistentry> >+ <varlistentry> >+ <term>-v </term> >+ <listitem><para>Print a version string for the tool.</para></listitem> >+ </varlistentry> >+ <varlistentry> >+ <term>-x </term> >+ <listitem><para>Turn on extra SSL hex dumps.</para></listitem> >+ </varlistentry> > </variablelist> > </refsection> >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=894337">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
hkario
: review-
Actions:
View
|
Diff
Attachments on
bug 606022
:
862576
|
862577
|
862578
|
892672
|
892674
| 894337 |
894811
|
894820