From 5147d71466455b3d087b3f3a7472a35e8216c55a Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Thu, 24 Jan 2013 11:34:47 +0100 Subject: Add basic trust module This is based off the roots-store from gnome-keyring and loads certificates from a root directory and exposes them as PKCS#11 objects. --- doc/Makefile.am | 2 ++ doc/p11-kit-config.xml | 10 ++++++ doc/p11-kit-devel.xml | 24 ++++++++++++++ doc/p11-kit-docs.sgml | 1 + doc/p11-kit-trust.xml | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++ doc/style.css | 6 +++- 6 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 doc/p11-kit-trust.xml (limited to 'doc') diff --git a/doc/Makefile.am b/doc/Makefile.am index 1846993..3154215 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -52,6 +52,7 @@ IGNORE_HFILES= \ dict.h \ mock-module.h \ pkcs11.h \ + pkcs11x.h \ private.h \ util.h \ array.h \ @@ -66,6 +67,7 @@ HTML_IMAGES= # e.g. content_files=running.sgml building.sgml changes-2.0.sgml content_files=p11-kit-config.xml p11-kit-sharing.xml \ p11-kit-devel.xml \ + p11-kit-trust.xml \ p11-kit.xml \ $(NULL) diff --git a/doc/p11-kit-config.xml b/doc/p11-kit-config.xml index d35b112..da413e0 100644 --- a/doc/p11-kit-config.xml +++ b/doc/p11-kit-config.xml @@ -167,6 +167,16 @@ critical: yes not present, then any process will load the module. + + trust-policy + + If this setting is present then this module is used to load + trust policy information such as certificate anchors and black lists. + The value should be an integer. Modules with a lower number are loaded + first. Trust policy information in modules loaded later overrides + those loaded first. + + Do not specify both enable-in and disable-in diff --git a/doc/p11-kit-devel.xml b/doc/p11-kit-devel.xml index f2a1f58..f3acde1 100644 --- a/doc/p11-kit-devel.xml +++ b/doc/p11-kit-devel.xml @@ -131,6 +131,8 @@ $ make install xsltproc is required to build the command manual pages. Use --enable-doc to control this dependency. + libtasn1 is required to build the trust + module and code that interacts with certificates. @@ -143,6 +145,10 @@ $ make install + + Disables building of the trust policy module. + + , By default p11-kit is built with debug symbols assertions and and precondition checks. Enabling the debug option configures even more @@ -164,11 +170,29 @@ $ make install compiler warnings become errors. + , + Build with a dependency on the libtasn1 library. This dependency + allows the trust policy module to be built as well as other code that interacts with + certificates. + + Specify the path to look for PKCS#11 modules which were listed in a module config file with a relative path. + + Specify the files or directories to look for system + certificate anchors. Multiple files and/or directories are specified with + a : in between them. + + + + Specify the files or directories to look for other + non-anchor system certificates. Multiple files and/or directories are + specified with a : in between them. + + Specify the path to look for p11-kit config files. This usually defaults to something like /etc/pkcs11 diff --git a/doc/p11-kit-docs.sgml b/doc/p11-kit-docs.sgml index 2d3760a..5627f6f 100644 --- a/doc/p11-kit-docs.sgml +++ b/doc/p11-kit-docs.sgml @@ -13,6 +13,7 @@ + Command Line Tools diff --git a/doc/p11-kit-trust.xml b/doc/p11-kit-trust.xml new file mode 100644 index 0000000..7496f7b --- /dev/null +++ b/doc/p11-kit-trust.xml @@ -0,0 +1,90 @@ + + + +Trust Policy Module + + The trust module provides system certificate anchors, blacklists + and other trust policy to crypto libraries applications. This + information is exposed as PKCS#11 objects. + +
+ Files loaded by the Module + + The trust module loads certificates and trust policy information + from preconfigured directories and allows them to be looked up via + PKCS#11. The directories can be determined with using the following + commands: + + + + System Anchors: certificates in these locations + are automatically treated as certificate authority anchors + unless they contain information that prevents that. To check + which locations are being used, run the following command: + +$ pkg-config --variable p11_system_anchors p11-kit-1 +/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors + + + + System Certificates: certificates in these locations + are not treated as anchors, but simply made available through + the module. To find out which directory is used, run the + following command: + +$ pkg-config --variable p11_system_certificates p11-kit-1 +/etc/pki/tls/other-certs + + + + + Files in the following formats are supported for loading by the + trust policy module: + + + + X.509 certificates + X.509 certificates in raw DER format. + + +
+ +
+ Using the Trust Policy Module with NSS + + The trust policy module is a drop in replacement for the + libnssckbi.so module and thus works out of + the box with NSS. The module may be used to replace the + libnssckbi.so file via an distribution + specific alternatives mechanism or otherwise. + + Alternatively NSS applications like Firefox or Thunderbird + may be configured to use the trust policy module by adding + the p11-kit-trust.so PKCS#11 module via their + GUI or command line configuration. +
+ +
+ Disabling the Trust Policy Module + + This module is installed and enabled by default. It may + be disabled in the following ways: + + + Use the + during the p11-kit + build. + Disable loading trust policy information + from this module by adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + trust-policy: line. + Disable this module completely by + adding a file to /etc/pkcs11/modules + called p11-kit-trust.module containing a + enable-in: line. + + +
+ + diff --git a/doc/style.css b/doc/style.css index e70190a..b4b8d47 100644 --- a/doc/style.css +++ b/doc/style.css @@ -99,10 +99,14 @@ DIV.toc DL { margin-bottom: 0; } -DIV.toc > DL > DT { +DIV.book > DIV.toc > DL > DT { margin-top: 1em; } DIV.toc DT { margin-bottom: 0.3em; } + +TABLE.variablelist SPAN.term { + padding-right: 1em; +} -- cgit v1.1