nfkmverify

nfkmverify [-fvU] [-m MODULE] [appname ident [appname ident [...]]]

Establishes the soundness of security world infrastructure and application keys.

nfkmverify options

Option Description

Program options

-A, --assigned

In a common-criteria-cmts world, checks whether the key is assigned.

-f, --force

Forces the display of possibly-wrong output report.

-v, --verbose

Prints full public keys and generation parameters.

--trusted-certifier=HASH

Trust the seeinteg certifier with this hash. This option can also take a list of key hashes separated by commas or spaces. It instructs nfkmverify to regard these keys as trusted even if they cannot be verified.

Key checking options

-C, --certificate

Check original ACL for the key using key generation certificate. (Default)

-L, --loaded

Checks the ACL of the loaded key instead of the generation certificate.

-R, --recov

Checks the ACL of the key loaded from the recovery blob.

Option to accept particular discrepancies

--allow-dh-unknown-sg-group

Proceeds if a Diffie-Hellman key uses an unrecognized Sophie-Germain group.

-U, --unverifiable

Proceeds even if the security world is unverifiable.

Option to address HSMs

-m, --module=MODULE

Specifies the number of the module to perform the test with.
If you only have one module, <MODULE> is 1.

Help options

-h, --help

Displays help for nfkmverify.

-u, --usage

Displays a brief usage summary for nfkmverify.

-V, --version

Displays the version number of the Security World Software that deploys nfkmverify.

Verify a migrated key

To verify a migrated key, you must preload the key and use nfkmverify with either -L|--loaded or -R|--recov options.

By default, nfkmverify compares the original Access Control List (ACL) that was provided when a key was generated to the current Security World. If the key was migrated, then the key hashes and mechanisms in the original ACL will not be consistent with the current Security World and nfkmverify will report a discrepancy. It might also be unable to load the KML blob necessary to verify the original ACL.

If the key is protected by a foreign seeinteg key, that is, a seeinteg key from another security world, you must use the --trusted-certifier option. Otherwise verification will fail because the seeinteg key cannot be verified.