p11-kit trust module on Debian and OpenSUSE

Ludwig Nussel ludwig.nussel at suse.de
Mon Jun 24 05:31:31 PDT 2013

Stef Walter wrote:
> On 20.06.2013 08:39, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 12.06.2013 13:51, Ludwig Nussel wrote:
>>>> What is the native way to blacklist stuff in p11-kit?
>>> p11-kit-trust module loads from directories specified in
>>> --with-trust-paths during ./configure. For example, one might have;
>>> /usr/share/pki/trust (for files installed by rpms)
>>> /etc/pki/trust (for files added by admins)
>> Talking about path names... It looks like there are several variants. I see
>> that Fedora went ahead with using /etc/pki/ca-trust/source and
>> /usr/share/pki/ca-trust-source. The p11-kit documentation refers to
>> /usr/share/p11-kit/trust. So far we put the certificates in
>> /usr/share/ca-certificates but there is no need to stick to that.
>> What's wrong with /usr/share/pki/trust that Fedora didn't use it?
> This is all primarily because Fedora had editable certificate bundles.
> Yes the certificate bundles were installed by ca-certificates as config
> files, meaning that admins could edit them.
> The current system in Debian and OpenSUSE is saner, where admins are
> explicitly pointed to putting their certificate edits in separate files,
> and not editing the generated bundles directly.
> So when the time came for Fedora to use the p11-kit-trust, there was an
> additional layer of indirection needed.
> Although to be honest, it's even a bit more complex than that. Kai, the
> maintainer wanted to have the current setup.


> What I'm currently working on is tools for adding/removing anchors and
> blacklists via the p11-kit-trust module itself. I hope that this
> resolves the issue of having different input directories on different
> Distros.

It would hide the exact location at least. At the same time it adds
another layer of indirection so you can't just use rpm -qf to find out
where a certificate comes from.

> In fact, that's why I've been waiting to do the OpenSUSE/Debian
> implementation of this stuff. Because once we have a tool to write
> things to the right place, it'll be simple to implement the migration
> from ca-certificates.conf that you suggested.

Since we needed to make changes to ca-certificates anyways to avoid a
build loop I've now implemented the p11-kit based ca-certificates
package for openSUSE. I've used /usr/share/pki/trust resp
/etc/pki/trust for now: https://github.com/openSUSE/ca-certificates
We are still way ahead of feature freeze so any kind of change is
still possible.


  (o_   Ludwig Nussel
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)

More information about the p11-glue mailing list