Trust module changes
stefw at redhat.com
Fri Mar 15 11:47:49 PDT 2013
Well I've pushed the various changes to the master branch of p11-kit
trust module. These were things that came up when a bunch of us actually
tried to use it for real :)
At a high level this includes:
* Proper prioritization of the various input paths. The first
configured path has the highest priority.
* When extracting certificates, don't export duplicate certificates.
Instead use prioritization to behave appropriately. 
* p11-kit specific persistence format to describe certain trust
policy that couldn't be represented by other input files 
* Allow comments to be added to the PEM bundle.
Some details below:
CONFIGURING TRUST MODULE INPUT PATHS
The --with-system-anchors and --with-system-certificates ./configure
arguments are gone. This is replaced by a single --with-trust-paths
The arguments are separated by colons as before. The first path
specified has the highest priority when it comes to lookup up CA's and
Since the --with-system-anchors and --with-system-certificates arguments
were only there very briefly, I've removed them without trying to
provide backward compatibility. Sorry bout that. But if any packagers
balk at this too loudly, I'll be accommodating :)
EXTRACTING COMBINED TRUST POLICY
There's a new extract filter called --filter=trust-policy  which
tries to extract as much trust policy as fits into the output format. As
noted above not all forms of trust policy fits into formats like OpenSSL
Each certificate should only be extracted once, even if it's placed in
multiple input paths
PERSIST INPUT FORMAT
There's a new input format that's p11-kit specific. I tried to make it
debuggable and readable. But it's not meant to be written by arbitrary
of other applications.
Eventually the p11-kit trust module will write this format too, and I
want to provide a tools for configuring CA trust and stuff. Until then
there's a need for folks distributing the Mozilla CA bundle to write out
certain data in this input format, such as blacklisted certificates for
which we have no actual certificate data (merely issuer + serial number).
Anyway, all of the above is on the master branch. I've written tons of
tests for these changes and document them well. But like any good
developer I've hidden bugs for folks to find. :P No seriously any
testing that's done is really appreciated.
FWIW, I've also branched a 'stable' branch for further 0.16.x releases,
although the 0.16.x series did not end up being that stable.
More information about the p11-glue