DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (d8847129d134)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>

<refentry id="signver">

  <refentryinfo>
    <date>&date;</date>
    <title>NSS Security Tools</title>
    <productname>nss-tools</productname>
    <productnumber>&version;</productnumber>
  </refentryinfo>

  <refmeta>
    <refentrytitle>SIGNVER</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>signver</refname>
    <refpurpose>Verify a detached PKCS#7 signature for a file.</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>signtool</command>
	<group choice="plain">
		<arg choice="plain">-A</arg>
		<arg choice="plain">-V</arg>
	</group>
      <arg choice="plain">-d <replaceable>directory</replaceable></arg>
      <arg>-a</arg>
	<arg>-i <replaceable>input_file</replaceable></arg>
	<arg>-o <replaceable>output_file</replaceable></arg>
	<arg>-s <replaceable>signature_file</replaceable></arg>
      <arg>-v</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsection>
    <title>STATUS</title>
    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
    </para>
  </refsection>

  <refsection id="description">
    <title>Description</title>

    <para>The Signature Verification Tool, <command>signver</command>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</para>
  </refsection>
  
  <refsection id="options">
    <title>Options</title>
    <variablelist>
      <varlistentry>
        <term>-A</term>
        <listitem><para>Displays all of the information in the PKCS#7 signature.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-V</term>
        <listitem><para>Verifies the digital signature.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-d [sql:]<emphasis>directory</emphasis></term>
        <listitem><para>Specify the database directory which contains the certificates and keys.</para>
	<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-a</term>
        <listitem><para>Sets that the given signature file is in ASCII format.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-i <emphasis>input_file</emphasis></term>
        <listitem><para>Gives the input file for the object with signed data.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-o <emphasis>output_file</emphasis></term>
        <listitem><para>Gives the output file to which to write the results.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-s <emphasis>signature_file</emphasis></term>
        <listitem><para>Gives the input file for the digital signature.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term>-v</term>
        <listitem><para>Enables verbose output.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsection>

  <refsection id="examples">
    <title>Extended Examples</title>
	<refsection><title>Verifying a Signature</title>
	<para>The <option>-V</option> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</para>
<programlisting>signver -V -s <replaceable>signature_file</replaceable> -i <replaceable>signed_file</replaceable> -d sql:/home/my/sharednssdb

signatureValid=yes</programlisting>
	</refsection>

	<refsection><title>Printing Signature Data</title>
		<para>
			The <option>-A</option> option prints all of the information contained in a signature file. Using the <option>-o</option> option prints the signature file information to the given output file rather than stdout.
		</para>
<programlisting>signver -A -s <replaceable>signature_file</replaceable> -o <replaceable>output_file</replaceable></programlisting>
	</refsection>
  </refsection>

<refsection id="databases"><title>NSS Database Types</title>
<para>NSS originally used BerkeleyDB databases to store security information. 
The last versions of these <emphasis>legacy</emphasis> databases are:</para>
<itemizedlist>
	<listitem>
		<para>
			cert8.db for certificates
		</para>
	</listitem>
	<listitem>
		<para>
			key3.db for keys
		</para>
	</listitem>
	<listitem>
		<para>
			secmod.db for PKCS #11 module information
		</para>
	</listitem>
</itemizedlist>

<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
requires more flexibility to provide a truly shared security database.</para>

<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
BerkleyDB. These new databases provide more accessibility and performance:</para>
<itemizedlist>
	<listitem>
		<para>
			cert9.db for certificates
		</para>
	</listitem>
	<listitem>
		<para>
			key4.db for keys
		</para>
	</listitem>
	<listitem>
		<para>
			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
		</para>
	</listitem>
</itemizedlist>

<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>

<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. 
Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>

<programlisting># signver -A -s <replaceable>signature</replaceable> -d sql:/home/my/sharednssdb</programlisting>

<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>

<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>

<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
	<listitem>
		<para>
			https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
	</listitem>
</itemizedlist>
<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
<itemizedlist>
	<listitem>
		<para>
			https://wiki.mozilla.org/NSS_Shared_DB
		</para>
	</listitem>
</itemizedlist>
</refsection>

  <refsection id="seealso">
    <title>See Also</title>
    <para>signtool (1)</para>

	<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
	<itemizedlist>
		<listitem>
			<para>Setting up the shared NSS database</para>
			<para>https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
		</listitem>
		<listitem>
			<para>
				Engineering and technical information about the shared NSS database
			</para>
			<para>
				https://wiki.mozilla.org/NSS_Shared_DB
			</para>
		</listitem>
	</itemizedlist>
  </refsection>

<!-- don't change -->
  <refsection id="resources">
    <title>Additional Resources</title>
	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
	<para>IRC: Freenode at #dogtag-pki</para>
  </refsection>

<!-- fill in your name first; keep the other names for reference -->
  <refsection id="authors">
    <title>Authors</title>
    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
    <para>
	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
    </para>
  </refsection>

<!-- don't change -->
  <refsection id="license">
    <title>LICENSE</title>
    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
    </para>
  </refsection>

</refentry>