|
|
1dc743 |
# HG changeset patch
|
|
|
1dc743 |
# User Daiki Ueno <dueno@redhat.com>
|
|
|
1dc743 |
# Date 1544699159 -3600
|
|
|
1dc743 |
# Thu Dec 13 12:05:59 2018 +0100
|
|
|
1dc743 |
# Node ID 0124a811bdf7abfe4bcf135ccc8c719b14db0580
|
|
|
1dc743 |
# Parent 5b2efc615899a283c1ab2e26ddb41684aeae60f0
|
|
|
1dc743 |
Add manual for nss-policy-check
|
|
|
1dc743 |
|
|
|
1dc743 |
diff --git a/doc/Makefile b/doc/Makefile
|
|
|
1dc743 |
--- a/doc/Makefile
|
|
|
1dc743 |
+++ b/doc/Makefile
|
|
|
1dc743 |
@@ -21,7 +21,7 @@ all: prepare all-man all-html
|
|
|
1dc743 |
prepare: date-and-version
|
|
|
1dc743 |
mkdir -p html
|
|
|
1dc743 |
mkdir -p nroff
|
|
|
1dc743 |
-
|
|
|
1dc743 |
+
|
|
|
1dc743 |
clean:
|
|
|
1dc743 |
rm -f date.xml version.xml *.tar.bz2
|
|
|
1dc743 |
rm -f html/*.proc
|
|
|
1dc743 |
@@ -45,11 +45,11 @@ version.xml:
|
|
|
1dc743 |
|
|
|
1dc743 |
nroff/%.1 : %.xml
|
|
|
1dc743 |
$(COMPILE.1) $<
|
|
|
1dc743 |
-
|
|
|
1dc743 |
+
|
|
|
1dc743 |
MANPAGES = \
|
|
|
1dc743 |
nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
|
|
|
1dc743 |
nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
|
|
|
1dc743 |
-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
|
|
|
1dc743 |
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
|
|
|
1dc743 |
|
|
|
1dc743 |
all-man: prepare $(MANPAGES)
|
|
|
1dc743 |
|
|
|
1dc743 |
@@ -64,6 +64,6 @@ html/%.html : %.xml
|
|
|
1dc743 |
HTMLPAGES = \
|
|
|
1dc743 |
html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
|
|
|
1dc743 |
html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
|
|
|
1dc743 |
-html/vfychain.html html/vfyserv.html
|
|
|
1dc743 |
+html/vfychain.html html/vfyserv.html html/nss-policy-check.html
|
|
|
1dc743 |
|
|
|
1dc743 |
all-html: prepare $(HTMLPAGES)
|
|
|
1dc743 |
diff --git a/doc/certutil.xml b/doc/certutil.xml
|
|
|
1dc743 |
--- a/doc/certutil.xml
|
|
|
1dc743 |
+++ b/doc/certutil.xml
|
|
|
1dc743 |
@@ -180,6 +180,10 @@ For certificate requests, ASCII output d
|
|
|
1dc743 |
</varlistentry>
|
|
|
1dc743 |
|
|
|
1dc743 |
<varlistentry>
|
|
|
1dc743 |
+ <term>--simple-self-signed</term>
|
|
|
1dc743 |
+ <listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
|
|
|
1dc743 |
+ </varlistentry>
|
|
|
1dc743 |
+ <varlistentry>
|
|
|
1dc743 |
<term>-b validity-time</term>
|
|
|
1dc743 |
<listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
|
|
|
1dc743 |
</para>
|
|
|
1dc743 |
diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml
|
|
|
1dc743 |
new file mode 100644
|
|
|
1dc743 |
--- /dev/null
|
|
|
1dc743 |
+++ b/doc/nss-policy-check.xml
|
|
|
1dc743 |
@@ -0,0 +1,97 @@
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+]>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+<refentry id="nss-policy-check">
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refentryinfo>
|
|
|
1dc743 |
+ <date>&dat;;</date>
|
|
|
1dc743 |
+ <title>NSS Security Tools</title>
|
|
|
1dc743 |
+ <productname>nss-tools</productname>
|
|
|
1dc743 |
+ <productnumber>&version;</productnumber>
|
|
|
1dc743 |
+ </refentryinfo>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refmeta>
|
|
|
1dc743 |
+ <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
|
|
|
1dc743 |
+ <manvolnum>1</manvolnum>
|
|
|
1dc743 |
+ </refmeta>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refnamediv>
|
|
|
1dc743 |
+ <refname>nss-policy-check</refname>
|
|
|
1dc743 |
+ <refpurpose>nss-policy-check policy-file</refpurpose>
|
|
|
1dc743 |
+ </refnamediv>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsynopsisdiv>
|
|
|
1dc743 |
+ <cmdsynopsis>
|
|
|
1dc743 |
+ <command>nss-policy-check</command>
|
|
|
1dc743 |
+ </cmdsynopsis>
|
|
|
1dc743 |
+ </refsynopsisdiv>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsection id="description">
|
|
|
1dc743 |
+ <title>Description</title>
|
|
|
1dc743 |
+ <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
|
|
|
1dc743 |
+ </refsection>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsection id="basic-usage">
|
|
|
1dc743 |
+ <title>Usage and Examples</title>
|
|
|
1dc743 |
+ <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
|
|
|
1dc743 |
+ </para>
|
|
|
1dc743 |
+ <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
|
|
|
1dc743 |
+NSS-POLICY-INFO: LOADED-SUCCESSFULLY
|
|
|
1dc743 |
+NSS-POLICY-INFO: PRIME256V1 is enabled for KX
|
|
|
1dc743 |
+NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
|
|
|
1dc743 |
+NSS-POLICY-INFO: SECP256R1 is enabled for KX
|
|
|
1dc743 |
+NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
|
|
|
1dc743 |
+NSS-POLICY-INFO: SECP384R1 is enabled for KX
|
|
|
1dc743 |
+NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
|
|
|
1dc743 |
+...
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
|
|
|
1dc743 |
+...
|
|
|
1dc743 |
+NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
|
|
|
1dc743 |
+NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
|
|
|
1dc743 |
+NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
|
|
|
1dc743 |
+...
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
|
|
|
1dc743 |
+NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
|
|
|
1dc743 |
+ </programlisting>
|
|
|
1dc743 |
+ <para>If there is a failure or warning, it will be prefixed with
|
|
|
1dc743 |
+ NSS-POLICY-FAIL or NSS-POLICY_WARN.
|
|
|
1dc743 |
+ </para>
|
|
|
1dc743 |
+ <para><command>nss-policy-check</command> exits with 2 if any
|
|
|
1dc743 |
+ failure is found, 1 if any warning is found, or 0 if no errors are
|
|
|
1dc743 |
+ found.</para>
|
|
|
1dc743 |
+ </refsection>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsection id="resources">
|
|
|
1dc743 |
+ <title>Additional Resources</title>
|
|
|
1dc743 |
+ <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
|
|
|
1dc743 |
+ <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
|
|
|
1dc743 |
+ <para>IRC: Freenode at #dogtag-pki</para>
|
|
|
1dc743 |
+ </refsection>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsection id="authors">
|
|
|
1dc743 |
+ <title>Authors</title>
|
|
|
1dc743 |
+ <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
|
|
1dc743 |
+ <para>
|
|
|
1dc743 |
+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
|
|
|
1dc743 |
+ </para>
|
|
|
1dc743 |
+ </refsection>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+ <refsection id="license">
|
|
|
1dc743 |
+ <title>LICENSE</title>
|
|
|
1dc743 |
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
1dc743 |
+ </para>
|
|
|
1dc743 |
+ </refsection>
|
|
|
1dc743 |
+
|
|
|
1dc743 |
+</refentry>
|
|
|
1dc743 |
diff --git a/doc/pk12util.xml b/doc/pk12util.xml
|
|
|
1dc743 |
--- a/doc/pk12util.xml
|
|
|
1dc743 |
+++ b/doc/pk12util.xml
|
|
|
1dc743 |
@@ -108,7 +108,7 @@
|
|
|
1dc743 |
</varlistentry>
|
|
|
1dc743 |
|
|
|
1dc743 |
<varlistentry>
|
|
|
1dc743 |
- <term>-n | --cert-key-len certKeyLength</term>
|
|
|
1dc743 |
+ <term>--cert-key-len certKeyLength</term>
|
|
|
1dc743 |
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
|
|
|
1dc743 |
</varlistentry>
|
|
|
1dc743 |
|