diff options
Diffstat (limited to 'doc/html/signver.html')
| -rw-r--r-- | doc/html/signver.html | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/doc/html/signver.html b/doc/html/signver.html new file mode 100644 index 000000000..7af22ce2e --- /dev/null +++ b/doc/html/signver.html @@ -0,0 +1,35 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.77.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idp4236688"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idp367200"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb + +signatureValid=yes</pre></div><div class="refsection"><a name="idp370464"></a><h3>Printing Signature Data</h3><p> + The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout. + </p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. +The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + cert8.db for certificates + </p></li><li class="listitem"><p> + key3.db for keys + </p></li><li class="listitem"><p> + secmod.db for PKCS #11 module information + </p></li></ul></div><p>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.</p><p>In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + cert9.db for certificates + </p></li><li class="listitem"><p> + key4.db for keys + </p></li><li class="listitem"><p> + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + </p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. +Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + https://wiki.mozilla.org/NSS_Shared_DB + </p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Setting up the shared NSS database</p><p>https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p> + Engineering and technical information about the shared NSS database + </p><p> + https://wiki.mozilla.org/NSS_Shared_DB + </p></li></ul></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</p><p> + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, version 1.1, + and/or the GNU General Public License, version 2 or later, + and/or the GNU Lesser General Public License, version 2.1 or later. + </p></div></div><div class="navfooter"><hr></div></body></html> |