Testing the trust module on Thursday

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 28 17:49:11 PDT 2013 

On Tue 2013-03-26 12:48:21 -0400, Stef Walter wrote:

> Just so you know, a bunch of us are testing the new p11-kit trust module
> together on Thursday:
>
> http://p11-glue.freedesktop.org/trust-module.html
>
> https://fedoraproject.org/wiki/Test_Day:2013-03-28_Shared_System_Certificates
>
> If anyone is interested in playing around with it (regardless of whether
> you're a Fedora user or not), it's a great time to try it out, poke
> hard, ask questions, try and break it, etc..
>
> Join us at #fedora-test-day or #p11-kit on Freenode.

Thanks for suggesting this, it was a good spur for me to try it out.

I tried this on two debian sid/experimental systems, amd64
(little-endian, 64-bit) and powerpc (big-endian, 32-bit) architectures,
using p11-kit 0.17.4-2 from debian experimental.

I diverted the existing libnssckbi.so and replaced it with this
sequence:

dpkg-divert --divert /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
mv /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so

That that done, when launching iceweasel, the browser sees
p11-kit-trust.so as the "built-in root"

And "dpkg-reconfigure ca-certificates" (as the superuser) lets me change
what gets listed as coming from the "System Trust" in the "Authorities"
tab on the cert manager.

I note that i need to restart iceweasel after making these system
trusted root changes to see them within iceweasel, but that's not much
of a surprise, nor do i think it is really a problem.

So that's great! :)

One other observation on the 32-bit powerpc platform, a bunch of
messages like this come up:

p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
p11-kit: 'timet >= 0' not true at calc_date

I assume this is due to certificates that expire after Y2038.  Is it
possible that we can use something other than time_t within p11-kit, for
those platforms where time_t is still 32 bits?

Thanks for all the work to get p11-kit to this state, i'm quite glad to
see this progress!

Regards,

      --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 965 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/p11-glue/attachments/20130328/a3c66e40/attachment.pgp>

More information about the p11-glue mailing list