Re: CVS commit: src/usr.bin/nbsvtool

[Dieter Baron <dillo%danbala.tuwien.ac.at@localhost>]

hi,

attached is an updated version of the man page, please review.

(To all others, please check wether this is enough information to use
the tool.)

  Remaining open points:

  - What is the difference between a key and a certificate.

  - I still need a pointer to X509 documentation, in particular the
    used key/certificate formats (PEM, PEM/SMIME) and key-usage attribute
    (what do the values mean).

  - What is trusted if no trust anchor is given?

                                        yours,
                                        dillo

.\" $NetBSD: nbsvtool.1,v 1.2 2008/05/22 12:01:03 wiz Exp $
.\"
.\" Copyright (c) 2004-2008 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Love H�rnquist �strand <lha%it.su.se@localhost>
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.Dd July 14, 2008
.Dt NBSVTOOL 1
.Os
.Sh NAME
.Nm nbsvtool
.Nd create and verify detached signatures of files
.Sh SYNOPSIS
.Nm nbsvtool
.OP Fl v
.Op Fl a Ar anchor-certificates
.Op Fl c Ar certificate-chain
.Op Fl f Ar certificate-file
.Op Fl k Ar private-key-file
.Op Fl u Ar required-key-usage
.Ar command
.Ar args ...
.Sh DESCRIPTION
.Nm
is used to create and verify detached X509 signatures of files.
Keys are expected to be PEM encoded, signatures are in PEM/SMIME
format.
.\" XXX: pointer to detailed description/documentation of these formats
.\" XXX: what is the difference between key/certificate?
.Pp
Supported commands:
.Bl -tag -width Xverify-codeXfileX[signature]XXX
.It sign Ar file
Sign
.Ar file ,
placing the signature in
.Ar file
.Pa .sp7 .
The options
.Fl f
and
.Fl k
are required for this command.
.It verify Ar file Op Ar signature
Verify signature for
.Ar file .
If 
.Ar signature
is not specified,
.Ar file
.Pa .sp7
is used.
.It verify-code Ar file Op Ar signature
This is a short cut for verify with the option
.Fl -u 
code.
.El
.Pp
Supported options:
.Bl -tag -width XfXcertificateXchainXfileXXX
.It Fl a Ar anchor-certificates
A file containing one or more (concatenated) keys that are considered
trusted.
\" XXX: what is trusted without -a?
.It Fl c Ar certificate-chain
A file containing additional certificates that will be added to the signature
when creating one.
They will be used to fill missing links in the trust chain when
verifying the signature.
.It Fl f Ar certificate-file
A file containing the certificate to use for signing.
The certificate must match the key given by
.Fl k .
.It Fl k Ar private-key-file
A file containing the private key to use for signing.
.It Fl u Ar required-key-usage
Verify that the extended key-usage attribute in the signer certificate
matches
.Ar required-key-usage .
Otherwise, the signature is rejected.
.Ar key usage
can be one of:
.Dq ssl-server ,
.Dq ssl-client ,
.Dq code ,
or
.Dq smime .
.It Fl v
Print verbose information of the signer.
.El
.Sh EXIT STATUS
.Ex -std
.Sh EXAMPLES
.Pp
Create signature file
.Pa hello.sp7
for file 
.Pa hello .
The private key is found in file
.Pa key ,
the matching certificate is in 
.Pa cert ,
additional certificates from 
.Pa cert-chain
are included in the created signature.
.Dl nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7
.Pp
Verify that the signature
.Pa hello.sp7
is valid for file
.Pa hello
 and that the certificate used allows code signing.
.Dl nbsvtool verify-code hello hello.sp7
.Pp
Same as above, but for file
.Pa file .
.Dl nbsvtool -u code verify file file.sp7
.Pp
Check signature for
.Pa file ,
using
.Pa anchor-file
as trust anchor.
.Dl nbsvtool -a anchor-file verify file.sp7
.Sh SEE ALSO
.Xr openssl_smime 1
.\" XXX: pointer to X509 documentation