# HG changeset patch # User Daiki Ueno # Date 1544699159 -3600 # Thu Dec 13 12:05:59 2018 +0100 # Node ID 0124a811bdf7abfe4bcf135ccc8c719b14db0580 # Parent 5b2efc615899a283c1ab2e26ddb41684aeae60f0 Add manual for nss-policy-check diff --git a/doc/Makefile b/doc/Makefile --- a/doc/Makefile +++ b/doc/Makefile @@ -21,7 +21,7 @@ all: prepare all-man all-html prepare: date-and-version mkdir -p html mkdir -p nroff - + clean: rm -f date.xml version.xml *.tar.bz2 rm -f html/*.proc @@ -45,11 +45,11 @@ version.xml: nroff/%.1 : %.xml $(COMPILE.1) $< - + MANPAGES = \ nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \ nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \ -nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 +nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1 all-man: prepare $(MANPAGES) @@ -64,6 +64,6 @@ html/%.html : %.xml HTMLPAGES = \ html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \ html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \ -html/vfychain.html html/vfyserv.html +html/vfychain.html html/vfyserv.html html/nss-policy-check.html all-html: prepare $(HTMLPAGES) diff --git a/doc/certutil.xml b/doc/certutil.xml --- a/doc/certutil.xml +++ b/doc/certutil.xml @@ -180,6 +180,10 @@ For certificate requests, ASCII output d + --simple-self-signed + When printing the certificate chain, don't search for a chain if issuer name equals to subject name. + + -b validity-time Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml new file mode 100644 --- /dev/null +++ b/doc/nss-policy-check.xml @@ -0,0 +1,97 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + NSS-POLICY-CHECK + 1 + + + + nss-policy-check + nss-policy-check policy-file + + + + + nss-policy-check + + + + + Description + nss-policy-check verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library. + + The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database. + + + + Usage and Examples + To check the global crypto-policy configuration in /etc/crypto-policies/back-ends/nss.config: + + $ nss-policy-check /etc/crypto-policies/back-ends/nss.config +NSS-POLICY-INFO: LOADED-SUCCESSFULLY +NSS-POLICY-INFO: PRIME256V1 is enabled for KX +NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP256R1 is enabled for KX +NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP384R1 is enabled for KX +NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE +... +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13 +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9 +NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9 +... +NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled +... +NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24 +NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3 +NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2 + + If there is a failure or warning, it will be prefixed with + NSS-POLICY-FAIL or NSS-POLICY_WARN. + + nss-policy-check exits with 2 if any + failure is found, 1 if any warning is found, or 0 if no errors are + found. + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/doc/pk12util.xml b/doc/pk12util.xml --- a/doc/pk12util.xml +++ b/doc/pk12util.xml @@ -108,7 +108,7 @@ - -n | --cert-key-len certKeyLength + --cert-key-len certKeyLength Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.