From MozillaWiki
Jump to: navigation, search

Which tools should be shipped with NSS?

On operating systems that ship NSS as a system library, it's a good idea to ship the NSS tools as well. This page is meant to reach an agreement on which tools can be shipped and what requirements that would have.

Proposal: main tools vs. unsupported tools

Distinguish between:

  • "main" tools that get installed in the global program search path (like /usr/bin on Linux) and should therefore be documented and part of NSS QA
  • "unsupported" tools that do not have documentation, that are not necessarily part of the NSS QA, that will not get installed in the search path, but in a secondary location like /usr/lib/nss/unsupported-tools

The idea is

  • make the unsupported tools available with the OS, so that developers do not have to compile them themselves
  • ensure that by default the unsupported tools will not be available on the command line
  • require that developers add the unsupported directory to their search path

Proposal for packaging

Ship the unsupported tools in the same package as the supported tools.

This ensures that everybody looking for tools will find the unsupported tools as well! Having a separate package for the unsupported tools would make it much more difficult to find them.

Group 1: Tools that are shipping already

The following tools have sufficient docs and are already being shipped by some vendors: Note the NSS tools documentation page is at: http://www.mozilla.org/projects/security/pki/nss/tools/

  • certutil
  • modutil
  • pk12util
  • signtool
  • ssltap

Group 2: Candidates for addition that have documentation

These tools are listed on ttp://www.mozilla.org/projects/security/pki/nss/tools/ and except dbck we've been asked to ship them:


Has docs. Proposal: ship as "main" tool


Has docs. Proposal: ship as "main" tool


Proposal: clean up docs and ship as "main" tool

Docs need work!


No docs. Proposal: do NOT package this tool

This tool is also not development complete. It will also need to be adjusted to work on sqlite databases as well.

Group 3: Requested or proposed unsupported tools

We received requests to ship the following tools.

  • derdump
  • pp
  • ocspclnt
  • tstclnt
  • selfserv
  • vfyserv
  • atob
  • btoa

For the following tools we have not yet been asked to ship them, but they all seem to provide a functionality that might eventually be helpful while debugging or testing:

  • shlibsign
  • symkeyutil (This tool is currently incomplete, but would provided needed functionality if it were).
  • vfychain
  • strsclnt

Assumption: nobody volunteers to write documentation for them short term.

Proposal based on that assumption: ship them as unsupported tools

Group 4: Undocumented tools that should not get shipped

It seems unlikely that non-NSS developers might want to use the following tools in their current state:

  • addbuiltin
  • bltest
  • certcgi
  • checkcert
  • client
  • crmftest
  • dbtest
  • digest
  • example
  • fipstest
  • makepgq
  • mangle
  • minigzip
  • oidcalc
  • p7content
  • p7env
  • p7sign
  • p7verify
  • pk11mode
  • pk11util - this is a useful tool for PKCS #11 developers. It might be a candidate for a pkcs 11 devel package.
  • rsaperf
  • sdrtest
  • server

Group 5: Undocumented tools that currently aren't built, but may be candidates for support

There are several tools that are currently not built as part of NSS. Some of these tools may have some utility.

  • pwdecrypt - read a file with base64 SDR encrypted data and replace that data with decrypted data (useful in reading mozilla password files without a mozilla app).