From 8dfd93f2ce82bfa82d62209c2a350cf7241ef9ae Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 4 Mar 2019 14:58:28 +0100 Subject: [PATCH] Bug 1513909, add manual for nss-policy-check, r=rrelyea --HG-- extra : amend_source : 94b342643a688a3a804b23aa4ab24620585815f1 --- doc/Makefile | 8 ++-- doc/certutil.xml | 4 ++ doc/nss-policy-check.xml | 97 ++++++++++++++++++++++++++++++++++++++++ doc/pk12util.xml | 2 +- 4 files changed, 106 insertions(+), 5 deletions(-) create mode 100644 doc/nss-policy-check.xml diff --git a/doc/Makefile b/doc/Makefile index 444a81a30f..a4d85a69ce 100644 --- a/doc/Makefile +++ b/doc/Makefile @@ -21,7 +21,7 @@ all: prepare all-man all-html prepare: date-and-version mkdir -p html mkdir -p nroff - + clean: rm -f date.xml version.xml *.tar.bz2 rm -f html/*.proc @@ -45,11 +45,11 @@ version.xml: nroff/%.1 : %.xml $(COMPILE.1) $< - + MANPAGES = \ nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \ nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \ -nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 +nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1 all-man: prepare $(MANPAGES) @@ -64,6 +64,6 @@ html/%.html : %.xml HTMLPAGES = \ html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \ html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \ -html/vfychain.html html/vfyserv.html +html/vfychain.html html/vfyserv.html html/nss-policy-check.html all-html: prepare $(HTMLPAGES) diff --git a/doc/certutil.xml b/doc/certutil.xml index 5c3b3501ab..41659e2060 100644 --- a/doc/certutil.xml +++ b/doc/certutil.xml @@ -179,6 +179,10 @@ Use the -a argument to specify ASCII output. For certificate requests, ASCII output defaults to standard output unless redirected. + + --simple-self-signed + When printing the certificate chain, don't search for a chain if issuer name equals to subject name. + -b validity-time Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml new file mode 100644 index 0000000000..1d891b8c3f --- /dev/null +++ b/doc/nss-policy-check.xml @@ -0,0 +1,97 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + NSS-POLICY-CHECK + 1 + + + + nss-policy-check + nss-policy-check policy-file + + + + + nss-policy-check + + + + + Description + nss-policy-check verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library. + + The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database. + + + + Usage and Examples + To check the global crypto-policy configuration in /etc/crypto-policies/back-ends/nss.config: + + $ nss-policy-check /etc/crypto-policies/back-ends/nss.config +NSS-POLICY-INFO: LOADED-SUCCESSFULLY +NSS-POLICY-INFO: PRIME256V1 is enabled for KX +NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP256R1 is enabled for KX +NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP384R1 is enabled for KX +NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE +... +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13 +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9 +NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9 +... +NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled +... +NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24 +NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3 +NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2 + + If there is a failure or warning, it will be prefixed with + NSS-POLICY-FAIL or NSS-POLICY_WARN. + + nss-policy-check exits with 2 if any + failure is found, 1 if any warning is found, or 0 if no errors are + found. + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/doc/pk12util.xml b/doc/pk12util.xml index 3f8eecf1b5..1bd218d147 100644 --- a/doc/pk12util.xml +++ b/doc/pk12util.xml @@ -108,7 +108,7 @@ - -n | --cert-key-len certKeyLength + --cert-key-len certKeyLength Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.