Testing the trust module on Thursday

Stef Walter stef at thewalter.net
Fri Mar 29 05:46:17 PDT 2013

On 03/29/2013 01:49 AM, Daniel Kahn Gillmor wrote:
> Thanks for suggesting this, it was a good spur for me to try it out.
> I tried this on two debian sid/experimental systems, amd64
> (little-endian, 64-bit) and powerpc (big-endian, 32-bit) architectures,
> using p11-kit 0.17.4-2 from debian experimental.
> I diverted the existing libnssckbi.so and replaced it with this
> sequence:
> dpkg-divert --divert /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
> mv /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so.orig 
> ln -s ../pkcs11/p11-kit-trust.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_MULTIARCH)/nss/libnssckbi.so
> That that done, when launching iceweasel, the browser sees
> p11-kit-trust.so as the "built-in root"
> And "dpkg-reconfigure ca-certificates" (as the superuser) lets me change
> what gets listed as coming from the "System Trust" in the "Authorities"
> tab on the cert manager.
> I note that i need to restart iceweasel after making these system
> trusted root changes to see them within iceweasel, but that's not much
> of a surprise, nor do i think it is really a problem.
> So that's great! :)

Awesome :)

> One other observation on the 32-bit powerpc platform, a bunch of
> messages like this come up:
> p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
> p11-kit: 'timet >= 0' not true at calc_date
> I assume this is due to certificates that expire after Y2038.  Is it
> possible that we can use something other than time_t within p11-kit, for
> those platforms where time_t is still 32 bits?

Indeed it is. There is a patch in p11-kit 0.17.5 to fix the issue, and a
second, perhaps better patch attached to the bug as well:


> Thanks for all the work to get p11-kit to this state, i'm quite glad to
> see this progress!

By the way, for Debian there are these outstanding bugs:


As noted, I've tried to duplicate the issue (using a QEMU armel debian
squeeze VM), but have been unsuccessful. I'd like to get these fixed
before we push out a stable 0.18.0 version of p11-kit.

If you perhaps have some insight into them, or a way to reproduce the
issue, that would be really appreciated.



More information about the p11-glue mailing list