145 lines
4.4 KiB
Groff
145 lines
4.4 KiB
Groff
.\" $NetBSD: nbsvtool.1,v 1.6 2011/04/28 17:14:45 wiz Exp $
|
|
.\"
|
|
.\" Copyright (c) 2004-2008 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Love Hörnquist Åstrand <lha@it.su.se>
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.Dd March 11, 2009
|
|
.Dt NBSVTOOL 1
|
|
.Os
|
|
.Sh NAME
|
|
.Nm nbsvtool
|
|
.Nd create and verify detached signatures of files
|
|
.Sh SYNOPSIS
|
|
.Nm nbsvtool
|
|
.Op Fl v
|
|
.Op Fl a Ar anchor-certificates
|
|
.Op Fl c Ar certificate-chain
|
|
.Op Fl f Ar certificate-file
|
|
.Op Fl k Ar private-key-file
|
|
.Op Fl u Ar required-key-usage
|
|
.Ar command
|
|
.Ar args ...
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is used to create and verify detached X509 signatures of files.
|
|
Private keys and certificates are expected to be PEM encoded,
|
|
signatures are in PEM/SMIME format.
|
|
.\" XXX: pointer to detailed description/documentation of these formats
|
|
.\" XXX: pointer to concept explanation: key, certificate, signature,
|
|
.\" certificate chain
|
|
.Pp
|
|
Supported commands:
|
|
.Bl -tag -width Xverify-codeXfileX[signature]XXX
|
|
.It sign Ar file
|
|
Sign
|
|
.Ar file ,
|
|
placing the signature in
|
|
.Ar file Ns Pa .sp7 .
|
|
The options
|
|
.Fl f
|
|
and
|
|
.Fl k
|
|
are required for this command.
|
|
.It verify Ar file Op Ar signature
|
|
Verify signature for
|
|
.Ar file .
|
|
If
|
|
.Ar signature
|
|
is not specified,
|
|
.Ar file Ns Pa .sp7
|
|
is used.
|
|
.It verify-code Ar file Op Ar signature
|
|
This is a short cut for verify with the option
|
|
.Fl u
|
|
code.
|
|
.El
|
|
.Pp
|
|
Supported options:
|
|
.Bl -tag -width XfXcertificateXchainXfileXXX
|
|
.It Fl a Ar anchor-certificates
|
|
A file containing one or more (concatenated) keys that are considered
|
|
trusted.
|
|
.It Fl c Ar certificate-chain
|
|
A file containing additional certificates that will be added to the signature
|
|
when creating one.
|
|
They will be used to fill missing links in the trust chain when
|
|
verifying the signature.
|
|
.It Fl f Ar certificate-file
|
|
A file containing the certificate to use for signing.
|
|
The certificate must match the key given by
|
|
.Fl k .
|
|
.It Fl k Ar private-key-file
|
|
A file containing the private key to use for signing.
|
|
.It Fl u Ar required-key-usage
|
|
Verify that the extended key-usage attribute in the signing certificate
|
|
matches
|
|
.Ar required-key-usage .
|
|
Otherwise, the signature is rejected.
|
|
.Ar key usage
|
|
can be one of:
|
|
.Dq ssl-server ,
|
|
.Dq ssl-client ,
|
|
.Dq code ,
|
|
or
|
|
.Dq smime .
|
|
.It Fl v
|
|
Print verbose information about the signing certificate.
|
|
.El
|
|
.Sh EXIT STATUS
|
|
.Ex -std
|
|
.Sh EXAMPLES
|
|
Create signature file
|
|
.Pa hello.sp7
|
|
for file
|
|
.Pa hello .
|
|
The private key is found in file
|
|
.Pa key ,
|
|
the matching certificate is in
|
|
.Pa cert ,
|
|
additional certificates from
|
|
.Pa cert-chain
|
|
are included in the created signature.
|
|
.Dl nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7
|
|
.Pp
|
|
Verify that the signature
|
|
.Pa hello.sp7
|
|
is valid for file
|
|
.Pa hello
|
|
and that the signing certificate allows code signing.
|
|
Certificates in
|
|
.Pa anchor-file
|
|
are considered trusted, and there must be a certificate chain from one
|
|
of those certificates to the signing certificate.
|
|
.Dl nbsvtool -a anchor-file verify-code hello hello.sp7
|
|
.Sh SEE ALSO
|
|
.Xr openssl_smime 1
|
|
.\" XXX: pointer to X509 documentation, CA setup
|
|
.Sh CAVEATS
|
|
As there is currently no default trust anchor, you must explicilty
|
|
specify one with
|
|
.Fl a ,
|
|
otherwise no verification can succeed.
|