summaryrefslogtreecommitdiffstats
path: root/security/nss/doc/nroff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-04-25 21:33:33 +0200
commitfba28f19754f62b5227650143d5441fc86d4c7d7 (patch)
tree26629d73f83543ff92a060fd7b310bb748b13173 /security/nss/doc/nroff
parentb4154e043bfc0d2f301d88304efc896989d650bf (diff)
downloadUXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.gz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.lz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.tar.xz
UXP-fba28f19754f62b5227650143d5441fc86d4c7d7.zip
Revert "Update NSS to 3.35-RTM"
This reverts commit f1a0f0a56fdd0fc39f255174ce08c06b91c66c94.
Diffstat (limited to 'security/nss/doc/nroff')
-rw-r--r--security/nss/doc/nroff/certutil.137
-rw-r--r--security/nss/doc/nroff/pk12util.1279
2 files changed, 234 insertions, 82 deletions
diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1
index 80a02fc27..b2a8bd2bb 100644
--- a/security/nss/doc/nroff/certutil.1
+++ b/security/nss/doc/nroff/certutil.1
@@ -1,13 +1,13 @@
'\" t
.\" Title: CERTUTIL
.\" Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 27 October 2017
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 8 September 2016
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "CERTUTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "CERTUTIL" "1" "8 September 2016" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -371,9 +371,9 @@ Read an alternate PQG value from the specified file when generating DSA key pair
\fBcertutil\fR
generates its own PQG value\&. PQG files are created with a separate DSA utility\&.
.sp
-Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519\&.
+Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.
.sp
-If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
+If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
.RE
.PP
\-r
@@ -609,24 +609,6 @@ to generate the signature for a certificate being created or added to a database
Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&.
.RE
.PP
-\-\-pss
-.RS 4
-Restrict the generated certificate (with the
-\fB\-S\fR
-option) or certificate request (with the
-\fB\-R\fR
-option) to be used with the RSA\-PSS signature scheme\&. This only works when the private key of the certificate or certificate request is RSA\&.
-.RE
-.PP
-\-\-pss\-sign
-.RS 4
-Sign the generated certificate with the RSA\-PSS signature scheme (with the
-\fB\-C\fR
-or
-\fB\-S\fR
-option)\&. This only works when the private key of the signer\*(Aqs certificate is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not necessary to specify this option\&.
-.RE
-.PP
\-z noise\-file
.RS 4
Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&.
@@ -1530,8 +1512,7 @@ There are ways to narrow the keys listed in the search results:
.IP \(bu 2.3
.\}
To return a specific key, use the
-\fB\-n\fR
-\fIname\fR
+\fB\-n\fR\fIname\fR
argument with the name of the key\&.
.RE
.sp
@@ -1544,8 +1525,7 @@ argument with the name of the key\&.
.IP \(bu 2.3
.\}
If there are multiple security devices loaded, then the
-\fB\-h\fR
-\fItokenname\fR
+\fB\-h\fR\fItokenname\fR
argument can search a specific token or all tokens\&.
.RE
.sp
@@ -1558,8 +1538,7 @@ argument can search a specific token or all tokens\&.
.IP \(bu 2.3
.\}
If there are multiple key types available, then the
-\fB\-k\fR
-\fIkey\-type\fR
+\fB\-k\fR\fIkey\-type\fR
argument can search a specific type of key, like RSA, DSA, or ECC\&.
.RE
.PP
diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1
index e0a8da833..c4fa972c0 100644
--- a/security/nss/doc/nroff/pk12util.1
+++ b/security/nss/doc/nroff/pk12util.1
@@ -1,13 +1,13 @@
'\" t
.\" Title: PK12UTIL
.\" Author: [see the "Authors" section]
-.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
-.\" Date: 27 October 2017
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 5 June 2014
.\" Manual: NSS Security Tools
.\" Source: nss-tools
.\" Language: English
.\"
-.TH "PK12UTIL" "1" "27 October 2017" "nss-tools" "NSS Security Tools"
+.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -39,24 +39,24 @@ This documentation is still work in progress\&. Please contribute to the initial
.SH "DESCRIPTION"
.PP
The PKCS #12 utility,
-\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&.
+\fBpk12util\fR, enables sharing certificates among any server that supports PKCS#12\&. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys\&.
.SH "OPTIONS AND ARGUMENTS"
.PP
\fBOptions\fR
.PP
\-i p12file
.RS 4
-Import keys and certificates from a PKCS #12 file into a security database\&.
+Import keys and certificates from a PKCS#12 file into a security database\&.
.RE
.PP
\-l p12file
.RS 4
-List the keys and certificates in PKCS #12 file\&.
+List the keys and certificates in PKCS#12 file\&.
.RE
.PP
\-o p12file
.RS 4
-Export keys and certificates from the security database to a PKCS #12 file\&.
+Export keys and certificates from the security database to a PKCS#12 file\&.
.RE
.PP
\fBArguments\fR
@@ -68,7 +68,7 @@ Specify the key encryption algorithm\&.
.PP
\-C certCipher
.RS 4
-Specify the certiticate encryption algorithm\&.
+Specify the key cert (overall package) encryption algorithm\&.
.RE
.PP
\-d [sql:]directory
@@ -432,7 +432,7 @@ Specify the pkcs #12 file password\&.
.PP
The most basic usage of
\fBpk12util\fR
-for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
+for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either
\fB\-d\fR
for a directory or
\fB\-h\fR
@@ -467,7 +467,7 @@ pk12util: PKCS12 IMPORT SUCCESSFUL
.PP
Using the
\fBpk12util\fR
-command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
+command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&.
.PP
pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword]
.PP
@@ -559,17 +559,17 @@ Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pt
.\}
.SH "PASSWORD ENCRYPTION"
.PP
-PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify
-\fB"NONE"\fR
-as the argument of the
-\fB\-C\fR
-option\&.
+PKCS#12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package\&. If no algorithm is specified, the tool defaults to using
+\fBPKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc\fR
+for private key encryption\&.
+\fBPKCS12 V2 PBE with SHA1 and 40 Bit RC4\fR
+is the default for the overall package encryption when not in FIPS mode\&. When in FIPS mode, there is no package encryption\&.
.PP
The private key is always protected with strong encryption by default\&.
.PP
Several types of ciphers are supported\&.
.PP
-PKCS #5 password\-based encryption
+Symmetric CBC ciphers for PKCS#5 V2
.RS 4
.sp
.RS 4
@@ -580,13 +580,110 @@ PKCS #5 password\-based encryption
.sp -1
.IP \(bu 2.3
.\}
-PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR,
-\fB"AES\-192\-CBC"\fR, and
-\fB"AES\-256\-CBC"\fR)
+DES\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+RC2\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+RC5\-CBCPad
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+DES\-EDE3\-CBC (the default for key encryption)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+AES\-128\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+AES\-192\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+AES\-256\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+CAMELLIA\-128\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+CAMELLIA\-192\-CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+CAMELLIA\-256\-CBC
.RE
.RE
.PP
-PKCS #12 password\-based encryption
+PKCS#12 PBE ciphers
.RS 4
.sp
.RS 4
@@ -597,9 +694,7 @@ PKCS #12 password\-based encryption
.sp -1
.IP \(bu 2.3
.\}
-SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR
-or
-\fB"RC4"\fR)
+PKCS #12 PBE with Sha1 and 128 Bit RC4
.RE
.sp
.RS 4
@@ -610,7 +705,7 @@ or
.sp -1
.IP \(bu 2.3
.\}
-SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode)
+PKCS #12 PBE with Sha1 and 40 Bit RC4
.RE
.sp
.RS 4
@@ -621,9 +716,7 @@ SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (use
.sp -1
.IP \(bu 2.3
.\}
-SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR
-or
-\fB"DES\-EDE3\-CBC"\fR)
+PKCS #12 PBE with Sha1 and Triple DES CBC
.RE
.sp
.RS 4
@@ -634,9 +727,7 @@ or
.sp -1
.IP \(bu 2.3
.\}
-SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR
-or
-\fB"RC2\-CBC"\fR)
+PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC
.RE
.sp
.RS 4
@@ -647,11 +738,114 @@ or
.sp -1
.IP \(bu 2.3
.\}
-SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR)
+PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 128 Bit RC4
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non\-FIPS mode)
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 3KEY Triple DES\-cbc
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 2KEY Triple DES\-cbc
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC
.RE
.RE
.PP
-With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
+PKCS#5 PBE ciphers
+.RS 4
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS #5 Password Based Encryption with MD2 and DES CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS #5 Password Based Encryption with MD5 and DES CBC
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+PKCS #5 Password Based Encryption with SHA1 and DES CBC
+.RE
+.RE
+.PP
+With PKCS#12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error
\fIno security module can perform the requested operation\fR\&.
.SH "NSS DATABASE TYPES"
.PP
@@ -793,27 +987,6 @@ For an engineering draft on the changes in the shared NSS databases, see the NSS
.\}
https://wiki\&.mozilla\&.org/NSS_Shared_DB
.RE
-.SH "COMPATIBILITY NOTES"
-.PP
-The exporting behavior of
-\fBpk12util\fR
-has changed over time, while importing files exported with older versions of NSS is still supported\&.
-.PP
-Until the 3\&.30 release,
-\fBpk12util\fR
-used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&.
-.PP
-Until the 3\&.31 release, even when
-\fB"AES\-128\-CBC"\fR
-or
-\fB"AES\-192\-CBC"\fR
-is given from the command line,
-\fBpk12util\fR
-always used 256\-bit AES as the underlying encryption scheme\&.
-.PP
-For historical reasons,
-\fBpk12util\fR
-accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&.
.SH "SEE ALSO"
.PP
certutil (1)