tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/usr.bin/nbsvtool



On Mon, Jul 14, 2008 at 06:57:42PM +0200, Dieter Baron wrote:
>   Mention that keys and signatures are in X509 format, and which
> variants are supported.

PEM encoded keys, detached signatures in PEM/SMIME format.

>   List and description of supported commands.

sign
verify
verify-code (short cut for setting -u code)

which do the obvious.

>   Expected format of the various input files, with pointer to complete
> description and ways/tools to create them (openssl man pages, relevant
> RFCs, . . .):

See the second comment in nbsvtool.c.

> - certificate_chain_file

Additional certificates to include in the signature

> - certificate_file

The certificate itself.

> - private_key

The private key matching the certificate for sign operations.

>   Description of the key usages mentioned (ssl-server, ssl-client,
> code, smime), and when one is supposed to use which.  Pointer to more
> detailed information and exhaustive list (if there are more
> possibilities).

Can't comment on that. Currently supported are ssl-server, ssl-client,
code and smime, others (SGC, OCSP, timestamp, DVCS) can be added easily. 

>   Syntax of the trust anchor.

cat'ed list of PEM encoded certificates that are considered trusted.

>   Description of the examples, and what each is trying to acomplish.

Create signature file "hello.sp7" for file "hello". Private key is found
in file "key", certificates from "cert-chain" are included. The
certificate matching the private key must be included.

Verify that the signature "hello.sp7" for file "hello" is valid and that
the certificate allows code signing.

Same but check "file" instead.

Check signature "file.sp7" of "file", using "anchor-file" as trust
anchor.

Joerg


Home | Main Index | Thread Index | Old Index