p11-kit trust module on Debian and OpenSUSE

Ludwig Nussel ludwig.nussel at suse.de
Wed Jun 19 23:39:23 PDT 2013


Stef Walter wrote:
> On 12.06.2013 13:51, Ludwig Nussel wrote:
>> What is the native way to blacklist stuff in p11-kit?
>
> p11-kit-trust module loads from directories specified in
> --with-trust-paths during ./configure. For example, one might have;
>
> /usr/share/pki/trust (for files installed by rpms)
> /etc/pki/trust (for files added by admins)

Talking about path names... It looks like there are several variants. I see
that Fedora went ahead with using /etc/pki/ca-trust/source and
/usr/share/pki/ca-trust-source. The p11-kit documentation refers to
/usr/share/p11-kit/trust. So far we put the certificates in
/usr/share/ca-certificates but there is no need to stick to that.
What's wrong with /usr/share/pki/trust that Fedora didn't use it?

>> Maybe it's
>> possible to do a one-shot conversion of ca-certificates.conf in some
>> %post script?
>
> Indeed.
>
> I had imagined that ca-certificates.conf was a cross distro standard,
> and so was willing to support it directly in p11-kit. But if it is
> fragmented, then it does make more sense to move away from it.
>
> So the %post script would look for any certificates blacklisted, and
> move them into the appropriate /etc/pki/trust/blacklist/ subdirectory.

I've prepared the openSUSE package for that method now by putting
symlinks to the certificates in the blacklist directory. However,
p11-kit outputs some annoying warnings about duplicate certificates if I
do that.
Also, when using the ordering of /usr vs /etc like in the docu
(http://p11-glue.freedesktop.org/doc/p11-kit/trust.html#trust-files) the
blacklist symlink in /etc apparently has no effect on certificates that
come from /usr!?

> In addition it would move stuff from /usr/share/local/ca-certificates
> into /etc/pki/trust/anchors/

It's better to not touch /usr/local in packages. It's admin space and
might be mounted via nfs etc. So I'd just ignore /usr/local.

cu
Ludwig

-- 
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)


More information about the p11-glue mailing list