|
Packit |
40b132 |
'\" t
|
|
Packit |
40b132 |
.\" Title: SIGNVER
|
|
Packit |
40b132 |
.\" Author: [see the "Authors" section]
|
|
Packit |
40b132 |
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|
Packit |
40b132 |
.\" Date: 5 June 2014
|
|
Packit |
40b132 |
.\" Manual: NSS Security Tools
|
|
Packit |
40b132 |
.\" Source: nss-tools
|
|
Packit |
40b132 |
.\" Language: English
|
|
Packit |
40b132 |
.\"
|
|
Packit |
40b132 |
.TH "SIGNVER" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.\" * Define some portability stuff
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
40b132 |
.\" http://bugs.debian.org/507673
|
|
Packit |
40b132 |
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
Packit |
40b132 |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
40b132 |
.ie \n(.g .ds Aq \(aq
|
|
Packit |
40b132 |
.el .ds Aq '
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.\" * set default formatting
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.\" disable hyphenation
|
|
Packit |
40b132 |
.nh
|
|
Packit |
40b132 |
.\" disable justification (adjust text to left margin only)
|
|
Packit |
40b132 |
.ad l
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.\" * MAIN CONTENT STARTS HERE *
|
|
Packit |
40b132 |
.\" -----------------------------------------------------------------
|
|
Packit |
40b132 |
.SH "NAME"
|
|
Packit |
40b132 |
signver \- Verify a detached PKCS#7 signature for a file\&.
|
|
Packit |
40b132 |
.SH "SYNOPSIS"
|
|
Packit |
40b132 |
.HP \w'\fBsigntool\fR\ 'u
|
|
Packit |
40b132 |
\fBsigntool\fR \-A | \-V \-d\ \fIdirectory\fR [\-a] [\-i\ \fIinput_file\fR] [\-o\ \fIoutput_file\fR] [\-s\ \fIsignature_file\fR] [\-v]
|
|
Packit |
40b132 |
.SH "STATUS"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
This documentation is still work in progress\&. Please contribute to the initial review in
|
|
Packit |
40b132 |
\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
|
|
Packit |
40b132 |
.SH "DESCRIPTION"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
The Signature Verification Tool,
|
|
Packit |
40b132 |
\fBsignver\fR, is a simple command\-line utility that unpacks a base\-64\-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques\&. The Signature Verification Tool can also display the contents of the signed object\&.
|
|
Packit |
40b132 |
.SH "OPTIONS"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-A
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Displays all of the information in the PKCS#7 signature\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-V
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Verifies the digital signature\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-d [sql:]\fIdirectory\fR
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Specify the database directory which contains the certificates and keys\&.
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
\fBsignver\fR
|
|
Packit |
40b132 |
supports two types of databases: the legacy security databases (cert8\&.db,
|
|
Packit |
40b132 |
key3\&.db, and
|
|
Packit |
40b132 |
secmod\&.db) and new SQLite databases (cert9\&.db,
|
|
Packit |
40b132 |
key4\&.db, and
|
|
Packit |
40b132 |
pkcs11\&.txt)\&. If the prefix
|
|
Packit |
40b132 |
\fBsql:\fR
|
|
Packit |
40b132 |
is not used, then the tool assumes that the given databases are in the old format\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-a
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Sets that the given signature file is in ASCII format\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-i \fIinput_file\fR
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Gives the input file for the object with signed data\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-o \fIoutput_file\fR
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Gives the output file to which to write the results\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-s \fIsignature_file\fR
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Gives the input file for the digital signature\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
\-v
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
Enables verbose output\&.
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.SH "EXTENDED EXAMPLES"
|
|
Packit |
40b132 |
.SS "Verifying a Signature"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
The
|
|
Packit |
40b132 |
\fB\-V\fR
|
|
Packit |
40b132 |
option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file)\&.
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.nf
|
|
Packit |
40b132 |
signver \-V \-s \fIsignature_file\fR \-i \fIsigned_file\fR \-d sql:/home/my/sharednssdb
|
|
Packit |
40b132 |
|
|
Packit |
40b132 |
signatureValid=yes
|
|
Packit |
40b132 |
.fi
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.SS "Printing Signature Data"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
The
|
|
Packit |
40b132 |
\fB\-A\fR
|
|
Packit |
40b132 |
option prints all of the information contained in a signature file\&. Using the
|
|
Packit |
40b132 |
\fB\-o\fR
|
|
Packit |
40b132 |
option prints the signature file information to the given output file rather than stdout\&.
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.nf
|
|
Packit |
40b132 |
signver \-A \-s \fIsignature_file\fR \-o \fIoutput_file\fR
|
|
Packit |
40b132 |
.fi
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.SH "NSS DATABASE TYPES"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
NSS originally used BerkeleyDB databases to store security information\&. The last versions of these
|
|
Packit |
40b132 |
\fIlegacy\fR
|
|
Packit |
40b132 |
databases are:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
cert8\&.db for certificates
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
key3\&.db for keys
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
secmod\&.db for PKCS #11 module information
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&.
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
cert9\&.db for certificates
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
key4\&.db for keys
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
Because the SQLite databases are designed to be shared, these are the
|
|
Packit |
40b132 |
\fIshared\fR
|
|
Packit |
40b132 |
database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&.
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
By default, the tools (\fBcertutil\fR,
|
|
Packit |
40b132 |
\fBpk12util\fR,
|
|
Packit |
40b132 |
\fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the
|
|
Packit |
40b132 |
\fBsql:\fR
|
|
Packit |
40b132 |
prefix with the given security directory\&. For example:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.nf
|
|
Packit |
40b132 |
# signver \-A \-s \fIsignature\fR \-d sql:/home/my/sharednssdb
|
|
Packit |
40b132 |
.fi
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
To set the shared database type as the default type for the tools, set the
|
|
Packit |
40b132 |
\fBNSS_DEFAULT_DB_TYPE\fR
|
|
Packit |
40b132 |
environment variable to
|
|
Packit |
40b132 |
\fBsql\fR:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.nf
|
|
Packit |
40b132 |
export NSS_DEFAULT_DB_TYPE="sql"
|
|
Packit |
40b132 |
.fi
|
|
Packit |
40b132 |
.if n \{\
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
This line can be added to the
|
|
Packit |
40b132 |
~/\&.bashrc
|
|
Packit |
40b132 |
file to make the change permanent for the user\&.
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
https://wiki\&.mozilla\&.org/NSS_Shared_DB
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.SH "SEE ALSO"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
signtool (1)
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
The NSS wiki has information on the new database design and how to configure applications to use it\&.
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
Setting up the shared NSS database
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
.ie n \{\
|
|
Packit |
40b132 |
\h'-04'\(bu\h'+03'\c
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
.el \{\
|
|
Packit |
40b132 |
.sp -1
|
|
Packit |
40b132 |
.IP \(bu 2.3
|
|
Packit |
40b132 |
.\}
|
|
Packit |
40b132 |
Engineering and technical information about the shared NSS database
|
|
Packit |
40b132 |
.sp
|
|
Packit |
40b132 |
https://wiki\&.mozilla\&.org/NSS_Shared_DB
|
|
Packit |
40b132 |
.RE
|
|
Packit |
40b132 |
.SH "ADDITIONAL RESOURCES"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
|
|
Packit |
40b132 |
\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
IRC: Freenode at #dogtag\-pki
|
|
Packit |
40b132 |
.SH "AUTHORS"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&.
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
|
|
Packit |
40b132 |
.SH "LICENSE"
|
|
Packit |
40b132 |
.PP
|
|
Packit |
40b132 |
Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
|
|
Packit |
40b132 |
.SH "NOTES"
|
|
Packit |
40b132 |
.IP " 1." 4
|
|
Packit |
40b132 |
Mozilla NSS bug 836477
|
|
Packit |
40b132 |
.RS 4
|
|
Packit |
40b132 |
\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
|
|
Packit |
40b132 |
.RE
|