summaryrefslogtreecommitdiffstats
path: root/security/nss/doc
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/doc')
-rw-r--r--security/nss/doc/Makefile8
-rw-r--r--security/nss/doc/certutil.xml42
-rw-r--r--security/nss/doc/nss-policy-check.xml97
-rw-r--r--security/nss/doc/pk12util.xml2
4 files changed, 144 insertions, 5 deletions
diff --git a/security/nss/doc/Makefile b/security/nss/doc/Makefile
index 444a81a30..a4d85a69c 100644
--- a/security/nss/doc/Makefile
+++ b/security/nss/doc/Makefile
@@ -21,7 +21,7 @@ all: prepare all-man all-html
prepare: date-and-version
mkdir -p html
mkdir -p nroff
-
+
clean:
rm -f date.xml version.xml *.tar.bz2
rm -f html/*.proc
@@ -45,11 +45,11 @@ version.xml:
nroff/%.1 : %.xml
$(COMPILE.1) $<
-
+
MANPAGES = \
nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
all-man: prepare $(MANPAGES)
@@ -64,6 +64,6 @@ html/%.html : %.xml
HTMLPAGES = \
html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
-html/vfychain.html html/vfyserv.html
+html/vfychain.html html/vfyserv.html html/nss-policy-check.html
all-html: prepare $(HTMLPAGES)
diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml
index 5c3b3501a..519d710dc 100644
--- a/security/nss/doc/certutil.xml
+++ b/security/nss/doc/certutil.xml
@@ -180,6 +180,10 @@ For certificate requests, ASCII output defaults to standard output unless redire
</varlistentry>
<varlistentry>
+ <term>--simple-self-signed</term>
+ <listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
+ </varlistentry>
+ <varlistentry>
<term>-b validity-time</term>
<listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
</para>
@@ -424,6 +428,9 @@ of the attribute codes:
<listitem>
<para><command>J</command> (as an object signer)</para>
</listitem>
+ <listitem>
+<para><command>I</command> (as an IPSEC user)</para>
+ </listitem>
</itemizedlist></listitem>
</varlistentry>
@@ -658,6 +665,41 @@ of the attribute codes:
critical
</para>
</listitem>
+ <listitem>
+ <para>
+ x509Any
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecIKE
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecIKEEnd
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecIKEIntermediate
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecEnd
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecTunnel
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ ipsecUser
+ </para>
+ </listitem>
</itemizedlist>
<para>X.509 certificate extensions are described in RFC 5280.</para></listitem>
</varlistentry>
diff --git a/security/nss/doc/nss-policy-check.xml b/security/nss/doc/nss-policy-check.xml
new file mode 100644
index 000000000..1d891b8c3
--- /dev/null
+++ b/security/nss/doc/nss-policy-check.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-policy-check">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>NSS Security Tools</title>
+ <productname>nss-tools</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>nss-policy-check</refname>
+ <refpurpose>nss-policy-check policy-file</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nss-policy-check</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection id="description">
+ <title>Description</title>
+ <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
+
+ <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
+ </refsection>
+
+ <refsection id="basic-usage">
+ <title>Usage and Examples</title>
+ <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
+ </para>
+ <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
+NSS-POLICY-INFO: LOADED-SUCCESSFULLY
+NSS-POLICY-INFO: PRIME256V1 is enabled for KX
+NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP256R1 is enabled for KX
+NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP384R1 is enabled for KX
+NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
+...
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
+NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
+...
+NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
+...
+NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
+NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
+NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
+ </programlisting>
+ <para>If there is a failure or warning, it will be prefixed with
+ NSS-POLICY-FAIL or NSS-POLICY_WARN.
+ </para>
+ <para><command>nss-policy-check</command> exits with 2 if any
+ failure is found, 1 if any warning is found, or 0 if no errors are
+ found.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="resources">
+ <title>Additional Resources</title>
+ <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+ <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+ <para>IRC: Freenode at #dogtag-pki</para>
+ </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>
+ Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+ </para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml
index 3f8eecf1b..1bd218d14 100644
--- a/security/nss/doc/pk12util.xml
+++ b/security/nss/doc/pk12util.xml
@@ -108,7 +108,7 @@
</varlistentry>
<varlistentry>
- <term>-n | --cert-key-len certKeyLength</term>
+ <term>--cert-key-len certKeyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>