p11-kit trust module on Debian and OpenSUSE

Stef Walter stef at thewalter.net
Wed Jun 12 11:41:57 PDT 2013 

On 12.06.2013 13:51, Ludwig Nussel wrote:
> Stef Walter wrote:
>> So to summarize Debian and OpenSUSE use update-ca-certificates which
>> reads ca-certificates.conf if it exists. This file is a way of denoting
>> which CA certificates in /usr/share/ca-certificates are
>> whitelisted/blacklisted. If it doesn't exist then everything in
>> /usr/share/ca-certificates is used.
> 
> Note that IIRC Debian semantics of ca-certificates.conf are slightly
> different. All certificates need to be listed in there to be considered
> by update-ca-certificates. This is a problem for distribution packages
> because you cannot really know whether an entry is missing because the
> admin took it out or because an old version of the package didn't
> contain the certificate. So for openSUSE I decided to not use this
> whitelist approach but instead only use the blacklist feature.
> 
>> I'd like to help replace much of update-ca-certificates with the p11-kit
>> trust module, and extract tools. But because ca-certificates.conf is
>> widely used, there's the need to continue to support that.
> 
> What is the native way to blacklist stuff in p11-kit? 

p11-kit-trust module loads from directories specified in
--with-trust-paths during ./configure. For example, one might have;

/usr/share/pki/trust (for files installed by rpms)
/etc/pki/trust (for files added by admins)


Each directory can have a blacklist subdirectory. Certificates placed in
that subdirectory are automatically added to the blacklist.

More details:

http://p11-glue.freedesktop.org/doc/p11-kit/trust.html#trust-files

> Maybe it's
> possible to do a one-shot conversion of ca-certificates.conf in some
> %post script?

Indeed.

I had imagined that ca-certificates.conf was a cross distro standard,
and so was willing to support it directly in p11-kit. But if it is
fragmented, then it does make more sense to move away from it.

So the %post script would look for any certificates blacklisted, and
move them into the appropriate /etc/pki/trust/blacklist/ subdirectory.
In addition it would move stuff from /usr/share/local/ca-certificates
into /etc/pki/trust/anchors/

Cheers,

Stef

-- 

stef at thewalter.net
http://stef.thewalter.net

More information about the p11-glue mailing list