| @@ -1,144 +1,144 @@ | | | @@ -1,144 +1,144 @@ |
1 | .\" $NetBSD: nbsvtool.1,v 1.4 2008/07/15 12:14:13 wiz Exp $ | | 1 | .\" $NetBSD: nbsvtool.1,v 1.4.6.1 2009/03/15 20:02:24 snj Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2004-2008 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2004-2008 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Love Hörnquist Åstrand <lha@it.su.se> | | 7 | .\" by Love Hörnquist Åstrand <lha@it.su.se> |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
15 | .\" notice, this list of conditions and the following disclaimer in the | | 15 | .\" notice, this list of conditions and the following disclaimer in the |
16 | .\" documentation and/or other materials provided with the distribution. | | 16 | .\" documentation and/or other materials provided with the distribution. |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .Dd July 15, 2008 | | 29 | .Dd March 11, 2009 |
30 | .Dt NBSVTOOL 1 | | 30 | .Dt NBSVTOOL 1 |
31 | .Os | | 31 | .Os |
32 | .Sh NAME | | 32 | .Sh NAME |
33 | .Nm nbsvtool | | 33 | .Nm nbsvtool |
34 | .Nd create and verify detached signatures of files | | 34 | .Nd create and verify detached signatures of files |
35 | .Sh SYNOPSIS | | 35 | .Sh SYNOPSIS |
36 | .Nm nbsvtool | | 36 | .Nm nbsvtool |
37 | .OP Fl v | | 37 | .Op Fl v |
38 | .Op Fl a Ar anchor-certificates | | 38 | .Op Fl a Ar anchor-certificates |
39 | .Op Fl c Ar certificate-chain | | 39 | .Op Fl c Ar certificate-chain |
40 | .Op Fl f Ar certificate-file | | 40 | .Op Fl f Ar certificate-file |
41 | .Op Fl k Ar private-key-file | | 41 | .Op Fl k Ar private-key-file |
42 | .Op Fl u Ar required-key-usage | | 42 | .Op Fl u Ar required-key-usage |
43 | .Ar command | | 43 | .Ar command |
44 | .Ar args ... | | 44 | .Ar args ... |
45 | .Sh DESCRIPTION | | 45 | .Sh DESCRIPTION |
46 | .Nm | | 46 | .Nm |
47 | is used to create and verify detached X509 signatures of files. | | 47 | is used to create and verify detached X509 signatures of files. |
48 | Private keys and certificates are expected to be PEM encoded, | | 48 | Private keys and certificates are expected to be PEM encoded, |
49 | signatures are in PEM/SMIME format. | | 49 | signatures are in PEM/SMIME format. |
50 | .\" XXX: pointer to detailed description/documentation of these formats | | 50 | .\" XXX: pointer to detailed description/documentation of these formats |
51 | .\" XXX: pointer to concept explanation: key, certificate, signature, | | 51 | .\" XXX: pointer to concept explanation: key, certificate, signature, |
52 | .\" certificate chain | | 52 | .\" certificate chain |
53 | .Pp | | 53 | .Pp |
54 | Supported commands: | | 54 | Supported commands: |
55 | .Bl -tag -width Xverify-codeXfileX[signature]XXX | | 55 | .Bl -tag -width Xverify-codeXfileX[signature]XXX |
56 | .It sign Ar file | | 56 | .It sign Ar file |
57 | Sign | | 57 | Sign |
58 | .Ar file , | | 58 | .Ar file , |
59 | placing the signature in | | 59 | placing the signature in |
60 | .Ar file Ns Pa .sp7 . | | 60 | .Ar file Ns Pa .sp7 . |
61 | The options | | 61 | The options |
62 | .Fl f | | 62 | .Fl f |
63 | and | | 63 | and |
64 | .Fl k | | 64 | .Fl k |
65 | are required for this command. | | 65 | are required for this command. |
66 | .It verify Ar file Op Ar signature | | 66 | .It verify Ar file Op Ar signature |
67 | Verify signature for | | 67 | Verify signature for |
68 | .Ar file . | | 68 | .Ar file . |
69 | If | | 69 | If |
70 | .Ar signature | | 70 | .Ar signature |
71 | is not specified, | | 71 | is not specified, |
72 | .Ar file Ns Pa .sp7 | | 72 | .Ar file Ns Pa .sp7 |
73 | is used. | | 73 | is used. |
74 | .It verify-code Ar file Op Ar signature | | 74 | .It verify-code Ar file Op Ar signature |
75 | This is a short cut for verify with the option | | 75 | This is a short cut for verify with the option |
76 | .Fl u | | 76 | .Fl u |
77 | code. | | 77 | code. |
78 | .El | | 78 | .El |
79 | .Pp | | 79 | .Pp |
80 | Supported options: | | 80 | Supported options: |
81 | .Bl -tag -width XfXcertificateXchainXfileXXX | | 81 | .Bl -tag -width XfXcertificateXchainXfileXXX |
82 | .It Fl a Ar anchor-certificates | | 82 | .It Fl a Ar anchor-certificates |
83 | A file containing one or more (concatenated) keys that are considered | | 83 | A file containing one or more (concatenated) keys that are considered |
84 | trusted. | | 84 | trusted. |
85 | .It Fl c Ar certificate-chain | | 85 | .It Fl c Ar certificate-chain |
86 | A file containing additional certificates that will be added to the signature | | 86 | A file containing additional certificates that will be added to the signature |
87 | when creating one. | | 87 | when creating one. |
88 | They will be used to fill missing links in the trust chain when | | 88 | They will be used to fill missing links in the trust chain when |
89 | verifying the signature. | | 89 | verifying the signature. |
90 | .It Fl f Ar certificate-file | | 90 | .It Fl f Ar certificate-file |
91 | A file containing the certificate to use for signing. | | 91 | A file containing the certificate to use for signing. |
92 | The certificate must match the key given by | | 92 | The certificate must match the key given by |
93 | .Fl k . | | 93 | .Fl k . |
94 | .It Fl k Ar private-key-file | | 94 | .It Fl k Ar private-key-file |
95 | A file containing the private key to use for signing. | | 95 | A file containing the private key to use for signing. |
96 | .It Fl u Ar required-key-usage | | 96 | .It Fl u Ar required-key-usage |
97 | Verify that the extended key-usage attribute in the signing certificate | | 97 | Verify that the extended key-usage attribute in the signing certificate |
98 | matches | | 98 | matches |
99 | .Ar required-key-usage . | | 99 | .Ar required-key-usage . |
100 | Otherwise, the signature is rejected. | | 100 | Otherwise, the signature is rejected. |
101 | .Ar key usage | | 101 | .Ar key usage |
102 | can be one of: | | 102 | can be one of: |
103 | .Dq ssl-server , | | 103 | .Dq ssl-server , |
104 | .Dq ssl-client , | | 104 | .Dq ssl-client , |
105 | .Dq code , | | 105 | .Dq code , |
106 | or | | 106 | or |
107 | .Dq smime . | | 107 | .Dq smime . |
108 | .It Fl v | | 108 | .It Fl v |
109 | Print verbose information about the signing certificate. | | 109 | Print verbose information about the signing certificate. |
110 | .El | | 110 | .El |
111 | .Sh EXIT STATUS | | 111 | .Sh EXIT STATUS |
112 | .Ex -std | | 112 | .Ex -std |
113 | .Sh EXAMPLES | | 113 | .Sh EXAMPLES |
114 | Create signature file | | 114 | Create signature file |
115 | .Pa hello.sp7 | | 115 | .Pa hello.sp7 |
116 | for file | | 116 | for file |
117 | .Pa hello . | | 117 | .Pa hello . |
118 | The private key is found in file | | 118 | The private key is found in file |
119 | .Pa key , | | 119 | .Pa key , |
120 | the matching certificate is in | | 120 | the matching certificate is in |
121 | .Pa cert , | | 121 | .Pa cert , |
122 | additional certificates from | | 122 | additional certificates from |
123 | .Pa cert-chain | | 123 | .Pa cert-chain |
124 | are included in the created signature. | | 124 | are included in the created signature. |
125 | .Dl nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7 | | 125 | .Dl nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7 |
126 | .Pp | | 126 | .Pp |
127 | Verify that the signature | | 127 | Verify that the signature |
128 | .Pa hello.sp7 | | 128 | .Pa hello.sp7 |
129 | is valid for file | | 129 | is valid for file |
130 | .Pa hello | | 130 | .Pa hello |
131 | and that the signing certificate allows code signing. Certificates | | 131 | and that the signing certificate allows code signing. Certificates |
132 | in | | 132 | in |
133 | .Pa anchor-file | | 133 | .Pa anchor-file |
134 | are considered trusted, and there must be a certificate chain from one | | 134 | are considered trusted, and there must be a certificate chain from one |
135 | of those certificates to the signing certificate. | | 135 | of those certificates to the signing certificate. |
136 | .Dl nbsvtool -a anchor-file verify-code hello hello.sp7 | | 136 | .Dl nbsvtool -a anchor-file verify-code hello hello.sp7 |
137 | .Sh SEE ALSO | | 137 | .Sh SEE ALSO |
138 | .Xr openssl_smime 1 | | 138 | .Xr openssl_smime 1 |
139 | .\" XXX: pointer to X509 documentation, CA setup | | 139 | .\" XXX: pointer to X509 documentation, CA setup |
140 | .Sh CAVEATS | | 140 | .Sh CAVEATS |
141 | As there is currently no default trust anchor, you must explicilty | | 141 | As there is currently no default trust anchor, you must explicilty |
142 | specify one with | | 142 | specify one with |
143 | .Fl a , | | 143 | .Fl a , |
144 | otherwise no verification can succeed. | | 144 | otherwise no verification can succeed. |