author Butkovits Atila <>
Sun, 18 Apr 2021 08:31:26 +0000
changeset 576467 7f8d1b667187916539f125e511dea2aca7745d4b
parent 75563 33000157292b4cef2533a8769a49cd7d1e86d64d
permissions -rw-r--r--
Bug 1705193 - disable text-overflow-022.html on Mac for frequent failures. r=aryx DONTBUILD Differential Revision:

    symkeyutil - manage fixed keys in the database

    symkeyutil -H
    symkeyutil -L [std_opts] [-r]
    symkeyutil -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]
    symkeyutil -D <[-n name | -i id | -j id_file> [std_opts]
    symkeyutil -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]
    symkeyutil -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]
    symkeyutil -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]
    symkeyutil -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]
    symkeyutil -M <-n name | -i id | -j id_file> -g target_token [std_opts]
      std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]
      wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>


    NSS can store fixed keys as well as asymetric keys in the database. The
    symkeyutil command can be used to manage these keys. 

    As with certutil, symkeyutil takes two types of arguments, commands and
    options. Most commands fall into one of two catagories: commands which
    create keys and commands which extract or destroy keys. 

    Exceptions to these catagories are listed first:

    -H    takes no additional options. It lists a more detailed help message.
    -L    takes the standard set of options. It lists all the keys in the 
          specified token (NSS Internal DB Token is the default).  Only the 
          -L option accepts the all option for tokens to list all the fixed 

    Key Creation commands:
    For these commands, the key type (-t) option is always required. 
    In addition, the -s option may be required for certain key types.
    The standard set of options may be specified.

    -K   Create a new key using the token key gen function.
    -I   Import a new key from the raw data specified in the data file,
         specified with the -k options (required). This command may fail on 
         some tokens that don't support direct import of key material. 
    -U   Unwrap a new key from an encrypted data file specified with the -k
         option. The -w, -x, or -y option specifies the unwrapping key.
         The unwrapping algorithm is selected based on the type of the 
         unwrapping key.

    Key extraction/destruction options:
    For these keys, one and only of of the -n, -i, or -j options must be 
    specified. If more than one key matches the -n option, the 'first' key
    matching will be used.  The standard set of options may be specified.

    -D   Delete the key specified by the -n, -i, or -j options.
    -E   Export the key specified by the -n, -i, or -j options and store the
         contents to a file specified by the -k file (required). 
         This command will seldom work on any token since most keys are 
         protected from export.
    -W   Wrap the key specified by the -n, -i, or -j options and store the
         encrypted contents to a file specified by the -k file (required). 
         The -w, -x, or -y option specifies the key used to wrap the 
         target key. 
    -M   Move the key specified by the -n, -i, or -j options to the token
         specified by the -g option (required). The new key will have the
         same attributes as the source key.


    Standard options are those options that may be used by any command, and
    whose meaning is the same for all commands.

    -h token         Specify the token which the command will operate on. 
                     If -h is not specified the internal token is presumed. In
                     addition the special value 'all' may be used to specify 
                     that all tokens should be used. This is only valid for 
                     the '-L' command.
    -d certdir       Specify the location of the NSS databases. The default
                     value is platform dependent.
    -P dbprefix      Specify the prefix for the NSS database. The default value
                     is NULL.
    -p password      Specify the password for the token. On the command line. 
                     The -p and -f options are mutually exclusive. If 
                     neither option is specified, the password would be 
                     prompted from the user.
    -f passwordFile  Specify a file that contains the password for the token.
                     This option is mutually exclusive to the -p option.

    In addition to the standard options are the following command specific 
    options are.

    -r               Opens the NSS databases Read/Write. By default the -L,
                     -E, and -W commands open the database read only. Other
                     commands automatically opens the databases Read/Write and
                     igore this option if it is specified.

    -n name          Specifies the nickname for the key.

                     For the -K, -I, or -U options, name is the name for 
                     the new key.  If -n is not specified, no name is 
                     assumed. There is not check for duplicate names.

                     For the -D, -E, -W, or -M, the name specifies the key to
                     operate on. In this case one andy only one of the -n, -i
                     or -j options should be specifed. It is possible that
                     the -n options specifies and ambiguous key. In that case
                     the 'first' valid key is used.

                     For the -M option, the nickname for the new key is copied
                     from it's original key, even if the original key is
                     specified using -i or -j.

    -i key id
    -j key id file   These options are equivalent and mutually exclusive. 
                     They specify the key id for the file. The -i option
                     specifies the key id on the command line using a hex 
                     string. The -j specifies a file to read the raw key
                     id from.

                     For the -K, -I, or -U options, key id is the key id for 
                     the new key.  If -i or -j is not specified, no key id 
                     is assumed.  Some tokens may generate their own unique 
                     id for the key in this case (but it is not guarrenteed).

                     For the -D, -E, -W, or -M, the key id specifies the key to
                     operate on. In this case one andy only one of the -n, -i
                     or -j options should be specifed. 

   -t type           Specifies the key Type for the new key. This option is
                     required for the -K, -I, and -U commands. Valid values
			generic, rc2, rc4, des, des2, des3, cast, cast3,
                        cast5, cast128, rc5, idea, skipjack, baton, juniper,
                        cdmf, aes, camellia

                     Not all tokens support all key types. The generic key
                     type is usually used in MACing and key derivation 
                     algorithms. Neither generic nor rc4 keys may be used
                     to wrap other keys. Fixed rc4 keys are dangerous since
                     multiple use of the same stream cipher key to encrypted
                     different data can compromise all data encrypted with
                     that key.

   -s size           Specifies the key size. For most situations the key size
                     is already known and need not be specified. For some 
                     algorithms, however, it is necessary to specify the key
                     size when generation or unwrapping the key.

   -k key file       Specifies the name of a file that contains key data to
                     import or unwrap (-I or -U), or the location to store
                     key data or encrypted key data (-E or -W).

   -g target token   Specifies the target token when moving a key (-M). This
                     option is required for the -M command. It is invalid for
                     all other commands.

   -w wrap name
   -x wrap key id
   -y wrap key id file Specifies the wrapping key used int the -U and -W
                      command. Exactly one of these must be specified for the
                      -U or -W commands. Same semantics as the -n, -i, and -j
                      options above.


   There is no way display the key id of a key.

   The -p and -f options only specifies one password. Multiple passwords may
   be needed for the -L -h all command and the -M command.

   Perhaps RC4 should not be supported as a key type. Use of these keys as
   fixed keys is exceedingly dangerous.

   The handling of multiple keys with the same nickname should be more 
   deterministic than 'the first one'

   There is no way to specify, or display the operation flags of a key. The
   operation flags are not copied with the -M option as they should be.

   There is no way to change the attributes of a key (nickname, id, operation