### Compile and Install GoogleTest on Unix-like Systems Source: https://github.com/mozilla/nss/blob/master/gtests/google_test/gtest/README.md After generating Makefiles with CMake on a Unix-like system, use 'make' to compile GoogleTest and 'sudo make install' to install it system-wide. ```bash make sudo make install # Install in /usr/local/ by default ``` -------------------------------- ### Example: Add a PKCS #11 Module Source: https://github.com/mozilla/nss/blob/master/doc/html/modutil.html An example demonstrating how to add a specific PKCS #11 module with its library and supported mechanisms to a database located at /home/my/sharednssdb. ```bash modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM ``` -------------------------------- ### Install Linux Prerequisites Source: https://github.com/mozilla/nss/blob/master/doc/rst/build.md Installs necessary tools like Mercurial, Git, Ninja, and Python packages for building NSS on Linux. ```bash sudo apt install mercurial git ninja-build python3-pip python3 -m pip install gyp-next ``` -------------------------------- ### PKCS #11 JAR Sample Script File Source: https://github.com/mozilla/nss/blob/master/cmd/modutil/pk11jar.html This sample script file defines installation details for different platforms, including module names, library files, flags, and files to be installed. ```text > ForwardCompatible { IRIX:6.2:mips Solaris:5.5.1:sparc } > Platforms { > WINNT::x86 { > ModuleName { "Fortezza Module" } > ModuleFile { win32/fort32.dll } > DefaultMechanismFlags{0x0001} > DefaultCipherFlags{0x0001} > Files { > win32/setup.exe { > Executable > RelativePath { %temp%/setup.exe } > } > win32/setup.hlp { > RelativePath { %temp%/setup.hlp } > } > win32/setup.cab { > RelativePath { %temp%/setup.cab } > } > } > Solaris:5.5.1:sparc { > ModuleName { "Fortezza UNIX Module" } > ModuleFile { unix/fort.so } > DefaultMechanismFlags{0x0001} > CipherEnableFlags{0x0001} > Files { > unix/fort.so { > RelativePath{%root%/lib/fort.so} > AbsolutePath{/usr/local/netscape/lib/fort.so} > FilePermissions{555} > } > xplat/instr.html { > RelativePath{%root%/docs/inst.html} > AbsolutePath{/usr/local/netscape/docs/inst.html} > FilePermissions{555} > } > } > IRIX:6.2:mips { > EquivalentPlatform { Solaris:5.5.1:sparc } > } > } ``` -------------------------------- ### Complete Release Workflow Example Source: https://github.com/mozilla/nss/blob/master/automation/release/README.md Demonstrates the steps for a complete NSS release, including generating documentation and email, and updating release notes. ```bash cd /path/to/nss python3 automation/release/generate_release_doc.py 3.118 ``` ```bash python3 automation/release/generate_release_email.py 3.118 release_email.txt ``` -------------------------------- ### Install Google Test Library Source: https://github.com/mozilla/nss/blob/master/gtests/google_test/gtest/CMakeLists.txt Installs the Google Test and Google Test main libraries. This is a foundational step for using Google Test in your project. ```cmake install_project(gtest gtest_main) ``` -------------------------------- ### Install MacOS Prerequisites Source: https://github.com/mozilla/nss/blob/master/doc/rst/build.md Installs necessary tools like Mercurial, Git, Ninja, and Python packages for building NSS on macOS using Homebrew. ```bash brew install mercurial git ninja python3-pip python3 -m pip install gyp-next ``` -------------------------------- ### Full try syntax example Source: https://github.com/mozilla/nss/blob/master/doc/rst/try.md The full form of try syntax runs every available build and test. Use `./mach try` with no arguments to see the current valid tokens. ```text try: -b do -p all -u all -t all -e all ``` -------------------------------- ### Sign a Directory into a JAR File Source: https://github.com/mozilla/nss/blob/master/doc/html/signtool.html This example demonstrates how to sign the contents of a directory into a JAR file. It involves creating a directory, adding a file to it, and then using signtool with the -k (certificate name) and -Z (JAR file name) options to sign and package the directory. ```bash mkdir signdir echo boo > signdir/test.f signtool -k MySignCert -Z testjar.jar signdir ``` -------------------------------- ### List PKCS11 Modules (FIPS-140-1 Module) Source: https://github.com/mozilla/nss/blob/master/doc/html/signtool.html This example demonstrates listing PKCS11 modules when a FIPS-140-1 module is in use. It prompts for a password and then displays the FIPS module details, including its slot and token. ```bash signtool -d "c:\netscape\users\jsmith" -M using certificate directory: c:\netscape\users\jsmith Enter Password or Pin for "Communicator Certificate DB": [password will not echo] Listing of PKCS11 modules ----------------------------------------------- 1. Netscape Internal FIPS PKCS #11 Module (this module is internally loaded) slots: 1 slots attached status: loaded slot: Netscape Internal FIPS-140-1 Cryptographic Services token: Communicator Certificate DB ----------------------------------------------- ``` -------------------------------- ### Basic SSLTap Usage Source: https://github.com/mozilla/nss/blob/master/cmd/ssltap/ssltap-manual.html Run this command to start SSLTap and listen for incoming connections on the default port 1924. The browser should then be pointed to the intercepting machine's address and port. ```bash ssltap www.netscape.com:80 ``` -------------------------------- ### Install CMake Package Configuration Files Source: https://github.com/mozilla/nss/blob/master/gtests/google_test/gtest/CMakeLists.txt Generates and installs CMake package configuration files (Config.cmake and ConfigVersion.cmake) if INSTALL_GTEST is enabled. This allows other projects to find and use Google Test as a CMake package. ```cmake # Create the CMake package file descriptors. if (INSTALL_GTEST) include(CMakePackageConfigHelpers) set(targets_export_name ${cmake_package_name}Targets CACHE INTERNAL "") set(generated_dir "${CMAKE_CURRENT_BINARY_DIR}/generated" CACHE INTERNAL "") set(cmake_files_install_dir "${CMAKE_INSTALL_LIBDIR}/cmake/${cmake_package_name}") set(version_file "${generated_dir}/${cmake_package_name}ConfigVersion.cmake") write_basic_package_version_file(${version_file} VERSION ${GOOGLETEST_VERSION} COMPATIBILITY AnyNewerVersion) install(EXPORT ${targets_export_name} NAMESPACE ${cmake_package_name}:: DESTINATION ${cmake_files_install_dir}) set(config_file "${generated_dir}/${cmake_package_name}Config.cmake") configure_package_config_file("${gtest_SOURCE_DIR}/cmake/Config.cmake.in" "${config_file}" INSTALL_DESTINATION ${cmake_files_install_dir}) install(FILES ${version_file} ${config_file} DESTINATION ${cmake_files_install_dir}) endif() ``` -------------------------------- ### ssltap Command for SSL Parsing Source: https://github.com/mozilla/nss/blob/master/doc/html/ssltap.html Example command to run ssltap with SSL parsing enabled (-s) and output redirected to a file. This is useful for capturing and analyzing SSL/TLS traffic. ```bash $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt ``` -------------------------------- ### SSLTap Hexadecimal Data Example Source: https://github.com/mozilla/nss/blob/master/cmd/ssltap/ssltap-manual.html This example shows the format of hexadecimal data output when the -x option is used. It displays byte offsets and their corresponding hex and ASCII representations. ```text <-- [ 0: 56 d5 16 3e a1 6b b1 4a 8f 67 c4 d7 21 2f 6f dd | V..>.k.J.g..!/o. 10: bb 22 c4 75 8c f4 ce 28 16 a6 20 aa fb 9a 59 a1 | ".u...(.. ...Y. 20: 51 91 14 d2 fc 9f a7 ea 4d 9c f7 3a 9d 83 62 4a | Q.......M..:..bJ ] ``` -------------------------------- ### Generating Keys and Certificate Source: https://github.com/mozilla/nss/blob/master/doc/html/signtool.html Generates a new public-private key pair and certificate using the -G option. The tool prompts for certificate information, which is optional for test certificates. The generated certificate is installed in the specified directory and also output to x509.cacert. ```bash signtool -G MyTestCert using certificate directory: /u/someuser/.netscape Enter certificate information. All fields are optional. Acceptable characters are numbers, letters, spaces, and apostrophes. certificate common name: Test Object Signing Certificate organization: Netscape Communications Corp. organization unit: Server Products Division state or province: California country (must be exactly 2 characters): US username: someuser email address: someuser@netscape.com Enter Password or Pin for "Communicator Certificate DB": [Password will not echo] generated public/private key pair certificate request generated certificate has been signed certificate "MyTestCert" added to database Exported certificate to x509.raw and x509.cacert. ``` -------------------------------- ### Get Detailed Module Information Source: https://github.com/mozilla/nss/blob/master/cmd/modutil/specification.html Provides a detailed description of a specific PKCS #11 module, including its library file, manufacturer, version, and information about its slots and tokens. Use the module name as an argument. ```bash % modutil -list "Netscape Internal PKCS #11 Module" ``` -------------------------------- ### Install Cryptographic Module from JAR File Source: https://github.com/mozilla/nss/blob/master/doc/html/modutil.html Installs a PKCS #11 module packaged within a JAR file. This method uses an installation script within the JAR to configure the module and its libraries. ```bash modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb ``` -------------------------------- ### Radix-10 Multiplication Example Source: https://github.com/mozilla/nss/blob/master/lib/freebl/mpi/doc/mul.txt A longhand worked example of the multiplication algorithm in radix-10, showing intermediate values. ```text a = 999 b = x 999 ------------- p = 98001 w = (a[jx] * b[ix]) + kin + c[ix + jx] c[ix+jx] = w % RADIX k = w / RADIX product ix jx a[jx] b[ix] kin w c[i+j] kout 000000 0 0 9 9 0 81+0+0 1 8 000001 0 1 9 9 8 81+8+0 9 8 000091 0 2 9 9 8 81+8+0 9 8 000991 8 0 008991 1 0 9 9 0 81+0+9 0 9 008901 1 1 9 9 9 81+9+9 9 9 008901 1 2 9 9 9 81+9+8 8 9 008901 9 0 098901 2 0 9 9 0 81+0+9 0 9 098001 2 1 9 9 9 81+9+8 8 9 098001 2 2 9 9 9 81+9+9 9 9 098001 ``` -------------------------------- ### Declare PKCS11 Install Script in Manifest Source: https://github.com/mozilla/nss/blob/master/cmd/modutil/pk11jar.html Declare the PKCS #11 installer script in the JAR archive's manifest file using the Pkcs11_install_script metainfo tag. ```text + Pkcs11_install_script: pk11install ``` -------------------------------- ### Create New Security Databases Source: https://github.com/mozilla/nss/blob/master/doc/html/certutil.html Creates the necessary database files (certN.db, keyN.db, secmod.db) required for storing certificates, keys, and security modules. Specify the directory where these databases will be created. ```bash certutil -N -d directory ``` -------------------------------- ### Create NSS Release Branch and Tag Beta Source: https://github.com/mozilla/nss/blob/master/doc/rst/runbooks/releasing.md Use this script to create a new release branch and tag the first beta release. Replace `<3.XXX>` with the version number and `` with the target remote repository. ```python python3 automation/release/nss-release-helper.py make_release_branch <3.XXX> ``` -------------------------------- ### List Security Modules Source: https://github.com/mozilla/nss/blob/master/doc/html/certutil.html Use the -U and -d arguments to list all security modules configured in the secmod.db database. ```bash $ certutil -U -d /home/my/sharednssdb ``` -------------------------------- ### Avoid GoogleTest Macro Name Clashes Source: https://github.com/mozilla/nss/blob/master/gtests/google_test/gtest/README.md Use this flag to prevent GoogleTest macros from clashing with other libraries by renaming them. For example, renaming TEST to GTEST_TEST. ```c++ -DGTEST_DONT_DEFINE_TEST=1 GTEST_TEST(SomeTest, DoesThis) { ... } ``` -------------------------------- ### SSL Record Structure Example Source: https://github.com/mozilla/nss/blob/master/doc/html/ssltap.html Illustrates the structure of an SSLRecord, including type, version, length, and handshake message details. This is a server-side handshake message. ```text SSLRecord { 0: 16 03 00 03 e5 |..... type = 22 (handshake) version = { 3,0 } length = 997 (0x3e5) handshake { 0: 02 00 00 46 |...F type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 | wn&l.ì..XOG.-.E 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f | \.uC§L.Ç.d } ``` ```text SSLRecord { 0: 17 03 00 00 a0 |.... type = 23 (application_data) version = { 3,0 } length = 160 (0xa0) < encrypted > } ``` ```text SSLRecord { 0: 17 03 00 00 df |....ß type = 23 (application_data) version = { 3,0 } length = 223 (0xdf) < encrypted > } SSLRecord { 0: 15 03 00 00 12 |..... type = 21 (alert) version = { 3,0 } length = 18 (0x12) < encrypted > } ``` -------------------------------- ### Signing an Archive with a ZIP Utility Source: https://github.com/mozilla/nss/blob/master/doc/html/signtool.html This snippet shows how to package a signed archive into a JAR file using a ZIP utility after signing. Ensure the ZIP utility is in your PATH. ```bash cd signdir zip -r ../myjar.jar * adding: META-INF/ (stored 0%) adding: META-INF/manifest.mf (deflated 15%) adding: META-INF/signtool.sf (deflated 28%) adding: META-INF/signtool.rsa (stored 0%) adding: text.txt (stored 0%) ``` -------------------------------- ### Server Hello and Certificate Chain Source: https://github.com/mozilla/nss/blob/master/doc/html/ssltap.html Illustrates an SSL handshake's Server Hello, Certificate, Server Key Exchange, and Server Hello Done messages. The certificate data is saved to a file. ```text SSLRecord { type = 22 (handshake) version = { 3,0 } length = 997 (0x3e5) handshake { type = 2 (server_hello) length = 70 (0x000046) ServerHello { server_version = {3, 0} random = {...} session ID = { length = 32 contents = {..} } cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 } type = 11 (certificate) length = 709 (0x0002c5) CertificateChain { chainlength = 706 (0x02c2) Certificate { size = 703 (0x02bf) data = { saved in file 'cert.001' } } } type = 12 (server_key_exchange) length = 202 (0x0000ca) type = 14 (server_hello_done) length = 0 (0x000000) } } ``` -------------------------------- ### ssltap command for hex/ASCII output Source: https://github.com/mozilla/nss/blob/master/doc/html/ssltap.html Example of using ssltap with the -h option to display traffic in hex/ASCII format without SSL parsing. Output is redirected to a file. ```bash $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt ``` -------------------------------- ### Print Certificate Chain Source: https://github.com/mozilla/nss/blob/master/doc/html/certutil.html Prints the full certificate chain for a given certificate, starting from the root CA down to the issued certificate. Requires the database directory and certificate nickname. ```bash certutil -d /home/my/sharednssdb -O -n "jsmith@example.com" ``` -------------------------------- ### Build NSS with make Source: https://github.com/mozilla/nss/blob/master/doc/rst/build.md Builds NSS using the Make build system, typically for a 64-bit environment. This method can be slower than gyp/ninja. ```bash USE_64=1 make -j ``` -------------------------------- ### Exporting Keys and Certificates with pk12util Source: https://github.com/mozilla/nss/blob/master/doc/html/pk12util.html Exports certificates and keys from a database to a PKCS #12 file. Specify the output file, certificate name, and optionally the database directory. ```bash pk12util -o p12File -n certname \[-c keyCipher\] \[-C certCipher\] \[-m|--key_len keyLen\] \[-n|--cert_key_len certKeyLen\] \[-d directory\] \[-P dbprefix\] \[-k slotPasswordFile|-K slotPassword\] \[-w p12filePasswordFile|-W p12filePassword\] ``` ```bash # pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb Enter password for PKCS12 file: Re-enter password: ``` -------------------------------- ### Create Security Databases Source: https://github.com/mozilla/nss/blob/master/doc/html/modutil.html Use this command to create the necessary security database files in a specified directory. This is a prerequisite for most other modutil operations. ```bash modutil -create -dbdir directory ``` -------------------------------- ### Build NSS (32-bit) Source: https://github.com/mozilla/nss/blob/master/readme.md Use this command to perform a typical 32-bit build of NSS. Ensure you are in the NSS directory. ```bash make nss_build_all ``` -------------------------------- ### Build NSS with GYP + Ninja Source: https://github.com/mozilla/nss/blob/master/CLAUDE.md Execute build commands using the primary build system. Use flags for specific build types like debug, optimized, or clean builds. ```sh ./build.sh # debug build → ../dist/Debug/ ./build.sh -o # optimized build → ../dist/Release/ ./build.sh -c # clean + build ./mach build # equivalent wrapper ``` -------------------------------- ### Specify Legacy Database with signver Source: https://github.com/mozilla/nss/blob/master/doc/html/signver.html When using legacy BerkeleyDB databases, prefix the security directory with 'dbm:'. ```bash # signver -A -s _`signature`_ -d dbm:/home/my/sharednssdb ``` -------------------------------- ### Run Other GTests with Certificate Database Source: https://github.com/mozilla/nss/blob/master/CLAUDE.md Execute other gtests by setting up a certificate database and then running the respective gtest binary, specifying the database path. ```sh # Other gtests ./tests/gtests/gtest_db.sh ./gtest_certdb ../dist/Debug/bin/certutil ../dist/Debug/bin/pkcs11testmodule_gtest -d ./gtest_certdb # example ``` -------------------------------- ### Run All NSS Tests Source: https://github.com/mozilla/nss/blob/master/readme.md Navigate to the 'tests' directory and execute this script to run all available NSS tests. Ensure build environment variables are also set for testing. ```bash cd tests ./all.sh ``` -------------------------------- ### Importing Keys and Certificates Source: https://github.com/mozilla/nss/blob/master/doc/html/pk12util.html The most basic usage of pk12util for importing a certificate or key requires the PKCS #12 input file (-i) and a way to specify the security database being accessed (either -d for a directory or -h for a token). ```bash pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] ``` ```bash # pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb ``` -------------------------------- ### List All Keys in Database Source: https://github.com/mozilla/nss/blob/master/doc/html/certutil.html Use the -K and -d arguments to list all keys stored in the NSS key database. ```bash $ certutil -K -d $HOME/nssdb certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert ``` -------------------------------- ### List All Modules Source: https://github.com/mozilla/nss/blob/master/doc/html/modutil.html Retrieves a list of all PKCS #11 modules currently in the security database. This command shows module names, their status, and associated security databases. ```bash modutil -list [modulename] -dbdir directory ``` -------------------------------- ### Mach Commands Source: https://github.com/mozilla/nss/blob/master/CLAUDE.md List available commands for the `mach` build tool. ```sh ./mach commands # list all available commands ./mach coverage ssl_gtests # source coverage report for a suite ./mach fuzz-coverage # coverage for fuzzing targets ``` -------------------------------- ### List PKCS11 Modules (Internal Module) Source: https://github.com/mozilla/nss/blob/master/doc/html/signtool.html This command lists the available PKCS11 modules, specifically showing the Netscape Internal PKCS #11 Module and its associated slots and tokens. It uses the -d option to specify the certificate directory. ```bash signtool -d "c:\netscape\users\jsmith" -M ``` -------------------------------- ### Enable MCP Servers Configuration Source: https://github.com/mozilla/nss/blob/master/CLAUDE.md Configure local settings to enable all project MCP servers, specifically the 'moz' server for Bugzilla and Phabricator access. ```json { "enableAllProjectMcpServers": true, "enabledMcpjsonServers": ["moz"] } ``` -------------------------------- ### Print Signature Data with signver Source: https://github.com/mozilla/nss/blob/master/doc/html/signver.html Use the -A option to print all information in a signature file. The -o option redirects output to a file. ```bash signver -A -s _`signature_file`_ -o _`output_file`_ ```