Trust module changes

Stef Walter stefw at
Fri Mar 15 11:47:49 PDT 2013

Well I've pushed the various changes to the master branch of p11-kit
trust module. These were things that came up when a bunch of us actually
tried to use it for real :)

At a high level this includes:

 * Proper prioritization of the various input paths. The first
   configured path has the highest priority.
 * When extracting certificates, don't export duplicate certificates.
   Instead use prioritization to behave appropriately. [2]
 * p11-kit specific persistence format to describe certain trust
   policy that couldn't be represented by other input files [3]
 * Allow comments to be added to the PEM bundle.

Some details below:


The --with-system-anchors and --with-system-certificates ./configure
arguments are gone. This is replaced by a single --with-trust-paths
./configure argument.

The arguments are separated by colons as before. The first path
specified has the highest priority when it comes to lookup up CA's and
stuff. [4]

Since the --with-system-anchors and --with-system-certificates arguments
were only there very briefly, I've removed them without trying to
provide backward compatibility. Sorry bout that. But if any packagers
balk at this too loudly, I'll be accommodating :)


There's a new extract filter called --filter=trust-policy [5] which
tries to extract as much trust policy as fits into the output format. As
noted above not all forms of trust policy fits into formats like OpenSSL
trusted cetrificates.

Each certificate should only be extracted once, even if it's placed in
multiple input paths


There's a new input format that's p11-kit specific. I tried to make it
debuggable and readable. But it's not meant to be written by arbitrary
of other applications.

Eventually the p11-kit trust module will write this format too, and I
want to provide a tools for configuring CA trust and stuff. Until then
there's a need for folks distributing the Mozilla CA bundle to write out
certain data in this input format, such as blacklisted certificates for
which we have no actual certificate data (merely issuer + serial number).

Anyway, all of the above is on the master branch. I've written tons of
tests for these changes and document them well. But like any good
developer I've hidden bugs for folks to find. :P  No seriously any
testing that's done is really appreciated.

FWIW, I've also branched a 'stable' branch for further 0.16.x releases,
although the 0.16.x series did not end up being that stable.








More information about the p11-glue mailing list