DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (d8847129d134)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>

<refentry id="vfychain">

  <refentryinfo>
    <date>&date;</date>
    <title>NSS Security Tools</title>
    <productname>nss-tools</productname>
    <productnumber>&version;</productnumber>
  </refentryinfo>

  <refmeta>
    <refentrytitle>VFYCHAIN</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>vfychain </refname>
    <refpurpose>vfychain [options] [revocation options] certfile [[options] certfile] ...</refpurpose>
  </refnamediv>

 <refsynopsisdiv>
    <cmdsynopsis>
      <command>vfychain</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsection>
    <title>STATUS</title>
    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
    </para>
  </refsection>

  <refsection id="description">
    <title>Description</title>
    <para>The verification Tool, <command>vfychain</command>, verifies certificate chains. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>

	<para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
  </refsection>

  <refsection id="options">
    <title>Options</title>
    
    <variablelist>

      <varlistentry>
        <term><option>-a</option></term>
        <listitem>
          <simpara>the following certfile is base64 encoded</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
          <term><option>-b </option> <replaceable>YYMMDDHHMMZ</replaceable></term>
        <listitem>
          <simpara>Validate date (default: now)</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
          <term><option>-d </option> <replaceable>directory</replaceable></term>        <listitem>
          <simpara>database directory</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-f </option> </term>
        <listitem>
          <simpara>Enable cert fetching from AIA URL</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-o </option> <replaceable>oid</replaceable></term>
        <listitem>
          <simpara>Set policy OID for cert validation(Format OID.1.2.3)</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-p </option></term>
        <listitem>
          <simpara>Use PKIX Library to validate certificate by calling:</simpara>
		  <simpara>	   * CERT_VerifyCertificate if specified once,</simpara>
		  <simpara>	   * CERT_PKIXVerifyCert if specified twice and more.</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
          <term><option>-r </option></term>
          <listitem>
            <simpara>Following certfile is raw binary DER (default)</simpara>
         </listitem>
       </varlistentry>

       <varlistentry>
         <term><option>-t</option></term>
         <listitem>
	       <simpara>Following cert is explicitly trusted (overrides db trust)</simpara>
         </listitem>
       </varlistentry>

       <varlistentry>
         <term><option>-u </option> <replaceable>usage</replaceable></term>
         <listitem>
            <para>
	 	 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
	     4=Email signer, 5=Email recipient, 6=Object signer,
		 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
            </para>
         </listitem>
        </varlistentry>

        <varlistentry>
          <term><option>-T </option></term>
          <listitem>
	        <simpara>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
            </simpara>
          </listitem>
        </varlistentry>

        <varlistentry>
          <term><option>-v </option></term>
          <listitem>
	        <simpara>Verbose mode. Prints root cert subject(double the
			 argument for whole root cert info)
            </simpara>
          </listitem>
        </varlistentry>

      <varlistentry>
        <term><option>-w </option> <replaceable>password</replaceable></term>
        <listitem>
          <simpara>Database password</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-W </option> <replaceable>pwfile</replaceable></term>
        <listitem>
          <simpara>Password file</simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option></option></term>
        <listitem>
          <simpara>Revocation options for PKIX API (invoked with -pp options) is a
	collection of the following flags:
		[-g type [-h flags] [-m type [-s flags]] ...] ...</simpara>
          <simpara>Where: </simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-g </option> <replaceable>test-type</replaceable></term>
        <listitem>
          <simpara>Sets status checking test type. Possible values
			are "leaf" or "chain"
          </simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-g </option> <replaceable>test type</replaceable></term>
        <listitem>
          <simpara>Sets status checking test type. Possible values
			are "leaf" or "chain".
          </simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-h </option> <replaceable>test flags</replaceable></term>
        <listitem>
          <simpara>Sets revocation flags for the test type it
			follows. Possible flags: "testLocalInfoFirst" and
			"requireFreshInfo".
          </simpara>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-m </option> <replaceable>method type</replaceable></term>
        <listitem>
          <simpara>Sets method type for the test type it follows.
			Possible types are "crl" and "ocsp".
          </simpara>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><option>-s </option> <replaceable>method flags</replaceable></term>
        <listitem>
          <simpara>Sets revocation flags for the method it follows.
			Possible types are "doNotUse", "forbidFetching",
			"ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
          </simpara>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsection>

<!-- don't change -->
  <refsection id="resources">
    <title>Additional Resources</title>
	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
	<para>IRC: Freenode at #dogtag-pki</para>
  </refsection>

<!-- fill in your name first; keep the other names for reference -->
  <refsection id="authors">
    <title>Authors</title>
    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
    <para>
	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
    </para>
  </refsection>

<!-- don't change -->
  <refsection id="license">
    <title>LICENSE</title>
    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
    </para>
  </refsection>

</refentry>