diff options
Diffstat (limited to 'security/nss/cmd/symkeyutil/symkey.man')
-rw-r--r-- | security/nss/cmd/symkeyutil/symkey.man | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/security/nss/cmd/symkeyutil/symkey.man b/security/nss/cmd/symkeyutil/symkey.man new file mode 100644 index 000000000..e3c2e4c6e --- /dev/null +++ b/security/nss/cmd/symkeyutil/symkey.man @@ -0,0 +1,182 @@ + +NAME + symkeyutil - manage fixed keys in the database + +SYNOPSIS + symkeyutil -H + symkeyutil -L [std_opts] [-r] + symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts] + symkeyutil -D <[-n name | -i id | -j id_file> [std_opts] + symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts] + symkeyutil -E <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts] + symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts] + symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts] + symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts] + std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token] + wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file> + +DESCRIPTION + + NSS can store fixed keys as well as asymetric keys in the database. The + symkeyutil command can be used to manage these keys. + + As with certutil, symkeyutil takes two types of arguments, commands and + options. Most commands fall into one of two catagories: commands which + create keys and commands which extract or destroy keys. + + Exceptions to these catagories are listed first: + + -H takes no additional options. It lists a more detailed help message. + -L takes the standard set of options. It lists all the keys in the + specified token (NSS Internal DB Token is the default). Only the + -L option accepts the all option for tokens to list all the fixed + keys. + + Key Creation commands: + For these commands, the key type (-t) option is always required. + In addition, the -s option may be required for certain key types. + The standard set of options may be specified. + + -K Create a new key using the token key gen function. + -I Import a new key from the raw data specified in the data file, + specified with the -k options (required). This command may fail on + some tokens that don't support direct import of key material. + -U Unwrap a new key from an encrypted data file specified with the -k + option. The -w, -x, or -y option specifies the unwrapping key. + The unwrapping algorithm is selected based on the type of the + unwrapping key. + + Key extraction/destruction options: + For these keys, one and only of of the -n, -i, or -j options must be + specified. If more than one key matches the -n option, the 'first' key + matching will be used. The standard set of options may be specified. + + -D Delete the key specified by the -n, -i, or -j options. + -E Export the key specified by the -n, -i, or -j options and store the + contents to a file specified by the -k file (required). + This command will seldom work on any token since most keys are + protected from export. + -W Wrap the key specified by the -n, -i, or -j options and store the + encrypted contents to a file specified by the -k file (required). + The -w, -x, or -y option specifies the key used to wrap the + target key. + -M Move the key specified by the -n, -i, or -j options to the token + specified by the -g option (required). The new key will have the + same attributes as the source key. + +OPTIONS + + Standard options are those options that may be used by any command, and + whose meaning is the same for all commands. + + -h token Specify the token which the command will operate on. + If -h is not specified the internal token is presumed. In + addition the special value 'all' may be used to specify + that all tokens should be used. This is only valid for + the '-L' command. + -d certdir Specify the location of the NSS databases. The default + value is platform dependent. + -P dbprefix Specify the prefix for the NSS database. The default value + is NULL. + -p password Specify the password for the token. On the command line. + The -p and -f options are mutually exclusive. If + neither option is specified, the password would be + prompted from the user. + -f passwordFile Specify a file that contains the password for the token. + This option is mutually exclusive to the -p option. + + In addition to the standard options are the following command specific + options are. + + -r Opens the NSS databases Read/Write. By default the -L, + -E, and -W commands open the database read only. Other + commands automatically opens the databases Read/Write and + igore this option if it is specified. + + -n name Specifies the nickname for the key. + + For the -K, -I, or -U options, name is the name for + the new key. If -n is not specified, no name is + assumed. There is not check for duplicate names. + + For the -D, -E, -W, or -M, the name specifies the key to + operate on. In this case one andy only one of the -n, -i + or -j options should be specifed. It is possible that + the -n options specifies and ambiguous key. In that case + the 'first' valid key is used. + + For the -M option, the nickname for the new key is copied + from it's original key, even if the original key is + specified using -i or -j. + + -i key id + -j key id file These options are equivalent and mutually exclusive. + They specify the key id for the file. The -i option + specifies the key id on the command line using a hex + string. The -j specifies a file to read the raw key + id from. + + For the -K, -I, or -U options, key id is the key id for + the new key. If -i or -j is not specified, no key id + is assumed. Some tokens may generate their own unique + id for the key in this case (but it is not guarrenteed). + + For the -D, -E, -W, or -M, the key id specifies the key to + operate on. In this case one andy only one of the -n, -i + or -j options should be specifed. + + -t type Specifies the key Type for the new key. This option is + required for the -K, -I, and -U commands. Valid values + are: + generic, rc2, rc4, des, des2, des3, cast, cast3, + cast5, cast128, rc5, idea, skipjack, baton, juniper, + cdmf, aes, camellia + + Not all tokens support all key types. The generic key + type is usually used in MACing and key derivation + algorithms. Neither generic nor rc4 keys may be used + to wrap other keys. Fixed rc4 keys are dangerous since + multiple use of the same stream cipher key to encrypted + different data can compromise all data encrypted with + that key. + + -s size Specifies the key size. For most situations the key size + is already known and need not be specified. For some + algorithms, however, it is necessary to specify the key + size when generation or unwrapping the key. + + -k key file Specifies the name of a file that contains key data to + import or unwrap (-I or -U), or the location to store + key data or encrypted key data (-E or -W). + + -g target token Specifies the target token when moving a key (-M). This + option is required for the -M command. It is invalid for + all other commands. + + + + -w wrap name + -x wrap key id + -y wrap key id file Specifies the wrapping key used int the -U and -W + command. Exactly one of these must be specified for the + -U or -W commands. Same semantics as the -n, -i, and -j + options above. + +BUGS + + There is no way display the key id of a key. + + The -p and -f options only specifies one password. Multiple passwords may + be needed for the -L -h all command and the -M command. + + Perhaps RC4 should not be supported as a key type. Use of these keys as + fixed keys is exceedingly dangerous. + + The handling of multiple keys with the same nickname should be more + deterministic than 'the first one' + + There is no way to specify, or display the operation flags of a key. The + operation flags are not copied with the -M option as they should be. + + There is no way to change the attributes of a key (nickname, id, operation + flags). |