Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1513909, add manual for nss-policy-check, r=rrelyea
--HG--
extra : amend_source : 94b342643a688a3a804b23aa4ab24620585815f1
  • Loading branch information
ueno committed Mar 4, 2019
1 parent 34e8f12 commit 8dfd93f
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 3 deletions.
4 changes: 2 additions & 2 deletions doc/Makefile
Expand Up @@ -49,7 +49,7 @@ nroff/%.1 : %.xml
MANPAGES = \
nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1

all-man: prepare $(MANPAGES)

Expand All @@ -64,6 +64,6 @@ html/%.html : %.xml
HTMLPAGES = \
html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
html/vfychain.html html/vfyserv.html
html/vfychain.html html/vfyserv.html html/nss-policy-check.html

all-html: prepare $(HTMLPAGES)
4 changes: 4 additions & 0 deletions doc/certutil.xml
Expand Up @@ -179,6 +179,10 @@ Use the -a argument to specify ASCII output.</para></listitem>
For certificate requests, ASCII output defaults to standard output unless redirected.</para></listitem>
</varlistentry>

<varlistentry>
<term>--simple-self-signed</term>
<listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
</varlistentry>
<varlistentry>
<term>-b validity-time</term>
<listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
Expand Down
97 changes: 97 additions & 0 deletions doc/nss-policy-check.xml
@@ -0,0 +1,97 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>

<refentry id="nss-policy-check">

<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>

<refmeta>
<refentrytitle>NSS-POLICY-CHECK</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>

<refnamediv>
<refname>nss-policy-check</refname>
<refpurpose>nss-policy-check policy-file</refpurpose>
</refnamediv>

<refsynopsisdiv>
<cmdsynopsis>
<command>nss-policy-check</command>
</cmdsynopsis>
</refsynopsisdiv>

<refsection id="description">
<title>Description</title>
<para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>

<para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
</refsection>

<refsection id="basic-usage">
<title>Usage and Examples</title>
<para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
</para>
<programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
NSS-POLICY-INFO: LOADED-SUCCESSFULLY
NSS-POLICY-INFO: PRIME256V1 is enabled for KX
NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
NSS-POLICY-INFO: SECP256R1 is enabled for KX
NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
NSS-POLICY-INFO: SECP384R1 is enabled for KX
NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
...
NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
...
NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
...
NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
</programlisting>
<para>If there is a failure or warning, it will be prefixed with
NSS-POLICY-FAIL or NSS-POLICY_WARN.
</para>
<para><command>nss-policy-check</command> exits with 2 if any
failure is found, 1 if any warning is found, or 0 if no errors are
found.</para>
</refsection>

<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>

<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>

<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>

</refentry>
2 changes: 1 addition & 1 deletion doc/pk12util.xml
Expand Up @@ -108,7 +108,7 @@
</varlistentry>

<varlistentry>
<term>-n | --cert-key-len certKeyLength</term>
<term>--cert-key-len certKeyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>

Expand Down

0 comments on commit 8dfd93f

Please sign in to comment.