diff options
Diffstat (limited to 'security/nss/doc')
-rw-r--r-- | security/nss/doc/Makefile | 8 | ||||
-rw-r--r-- | security/nss/doc/certutil.xml | 42 | ||||
-rw-r--r-- | security/nss/doc/nss-policy-check.xml | 97 | ||||
-rw-r--r-- | security/nss/doc/pk12util.xml | 2 |
4 files changed, 144 insertions, 5 deletions
diff --git a/security/nss/doc/Makefile b/security/nss/doc/Makefile index 444a81a30..a4d85a69c 100644 --- a/security/nss/doc/Makefile +++ b/security/nss/doc/Makefile @@ -21,7 +21,7 @@ all: prepare all-man all-html prepare: date-and-version mkdir -p html mkdir -p nroff - + clean: rm -f date.xml version.xml *.tar.bz2 rm -f html/*.proc @@ -45,11 +45,11 @@ version.xml: nroff/%.1 : %.xml $(COMPILE.1) $< - + MANPAGES = \ nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \ nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \ -nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 +nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1 all-man: prepare $(MANPAGES) @@ -64,6 +64,6 @@ html/%.html : %.xml HTMLPAGES = \ html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \ html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \ -html/vfychain.html html/vfyserv.html +html/vfychain.html html/vfyserv.html html/nss-policy-check.html all-html: prepare $(HTMLPAGES) diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml index 5c3b3501a..519d710dc 100644 --- a/security/nss/doc/certutil.xml +++ b/security/nss/doc/certutil.xml @@ -180,6 +180,10 @@ For certificate requests, ASCII output defaults to standard output unless redire </varlistentry> <varlistentry> + <term>--simple-self-signed</term> + <listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem> + </varlistentry> + <varlistentry> <term>-b validity-time</term> <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively. </para> @@ -424,6 +428,9 @@ of the attribute codes: <listitem> <para><command>J</command> (as an object signer)</para> </listitem> + <listitem> +<para><command>I</command> (as an IPSEC user)</para> + </listitem> </itemizedlist></listitem> </varlistentry> @@ -658,6 +665,41 @@ of the attribute codes: critical </para> </listitem> + <listitem> + <para> + x509Any + </para> + </listitem> + <listitem> + <para> + ipsecIKE + </para> + </listitem> + <listitem> + <para> + ipsecIKEEnd + </para> + </listitem> + <listitem> + <para> + ipsecIKEIntermediate + </para> + </listitem> + <listitem> + <para> + ipsecEnd + </para> + </listitem> + <listitem> + <para> + ipsecTunnel + </para> + </listitem> + <listitem> + <para> + ipsecUser + </para> + </listitem> </itemizedlist> <para>X.509 certificate extensions are described in RFC 5280.</para></listitem> </varlistentry> diff --git a/security/nss/doc/nss-policy-check.xml b/security/nss/doc/nss-policy-check.xml new file mode 100644 index 000000000..1d891b8c3 --- /dev/null +++ b/security/nss/doc/nss-policy-check.xml @@ -0,0 +1,97 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ +<!ENTITY date SYSTEM "date.xml"> +<!ENTITY version SYSTEM "version.xml"> +]> + +<refentry id="nss-policy-check"> + + <refentryinfo> + <date>&date;</date> + <title>NSS Security Tools</title> + <productname>nss-tools</productname> + <productnumber>&version;</productnumber> + </refentryinfo> + + <refmeta> + <refentrytitle>NSS-POLICY-CHECK</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + + <refnamediv> + <refname>nss-policy-check</refname> + <refpurpose>nss-policy-check policy-file</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>nss-policy-check</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsection id="description"> + <title>Description</title> + <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para> + + <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para> + </refsection> + + <refsection id="basic-usage"> + <title>Usage and Examples</title> + <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>: + </para> + <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config +NSS-POLICY-INFO: LOADED-SUCCESSFULLY +NSS-POLICY-INFO: PRIME256V1 is enabled for KX +NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP256R1 is enabled for KX +NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP384R1 is enabled for KX +NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE +... +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13 +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9 +NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9 +... +NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled +... +NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24 +NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3 +NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2 + </programlisting> + <para>If there is a failure or warning, it will be prefixed with + NSS-POLICY-FAIL or NSS-POLICY_WARN. + </para> + <para><command>nss-policy-check</command> exits with 2 if any + failure is found, 1 if any warning is found, or 0 if no errors are + found.</para> + </refsection> + +<!-- don't change --> + <refsection id="resources"> + <title>Additional Resources</title> + <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para> + <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para> + <para>IRC: Freenode at #dogtag-pki</para> + </refsection> + +<!-- fill in your name first; keep the other names for reference --> + <refsection id="authors"> + <title>Authors</title> + <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para> + <para> + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + </para> + </refsection> + +<!-- don't change --> + <refsection id="license"> + <title>LICENSE</title> + <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + </para> + </refsection> + +</refentry> diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml index 3f8eecf1b..1bd218d14 100644 --- a/security/nss/doc/pk12util.xml +++ b/security/nss/doc/pk12util.xml @@ -108,7 +108,7 @@ </varlistentry> <varlistentry> - <term>-n | --cert-key-len certKeyLength</term> + <term>--cert-key-len certKeyLength</term> <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> </varlistentry> |