p11-kit trust module on Debian and OpenSUSE
ludwig.nussel at suse.de
Mon Jun 24 05:31:31 PDT 2013
Stef Walter wrote:
> On 20.06.2013 08:39, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 12.06.2013 13:51, Ludwig Nussel wrote:
>>>> What is the native way to blacklist stuff in p11-kit?
>>> p11-kit-trust module loads from directories specified in
>>> --with-trust-paths during ./configure. For example, one might have;
>>> /usr/share/pki/trust (for files installed by rpms)
>>> /etc/pki/trust (for files added by admins)
>> Talking about path names... It looks like there are several variants. I see
>> that Fedora went ahead with using /etc/pki/ca-trust/source and
>> /usr/share/pki/ca-trust-source. The p11-kit documentation refers to
>> /usr/share/p11-kit/trust. So far we put the certificates in
>> /usr/share/ca-certificates but there is no need to stick to that.
>> What's wrong with /usr/share/pki/trust that Fedora didn't use it?
> This is all primarily because Fedora had editable certificate bundles.
> Yes the certificate bundles were installed by ca-certificates as config
> files, meaning that admins could edit them.
> The current system in Debian and OpenSUSE is saner, where admins are
> explicitly pointed to putting their certificate edits in separate files,
> and not editing the generated bundles directly.
> So when the time came for Fedora to use the p11-kit-trust, there was an
> additional layer of indirection needed.
> Although to be honest, it's even a bit more complex than that. Kai, the
> maintainer wanted to have the current setup.
> What I'm currently working on is tools for adding/removing anchors and
> blacklists via the p11-kit-trust module itself. I hope that this
> resolves the issue of having different input directories on different
It would hide the exact location at least. At the same time it adds
another layer of indirection so you can't just use rpm -qf to find out
where a certificate comes from.
> In fact, that's why I've been waiting to do the OpenSUSE/Debian
> implementation of this stuff. Because once we have a tool to write
> things to the right place, it'll be simple to implement the migration
> from ca-certificates.conf that you suggested.
Since we needed to make changes to ca-certificates anyways to avoid a
build loop I've now implemented the p11-kit based ca-certificates
package for openSUSE. I've used /usr/share/pki/trust resp
/etc/pki/trust for now: https://github.com/openSUSE/ca-certificates
We are still way ahead of feature freeze so any kind of change is
(o_ Ludwig Nussel
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
More information about the p11-glue