diff options
| author | Stef Walter <stefw@gnome.org> | 2013-03-14 10:05:17 +0100 |
|---|---|---|
| committer | Stef Walter <stefw@gnome.org> | 2013-03-15 17:19:01 +0100 |
| commit | 86e60637394340ef2fa3b3db6b451dac1d73052b (patch) | |
| tree | 8fa4f4c353534ffc259f9e333e64fbf7d068e913 /doc/manual/p11-kit-trust.xml | |
| parent | bf63f009cd4a1147a3e0684d898f140f46666b0e (diff) | |
| download | p11-kit-86e60637394340ef2fa3b3db6b451dac1d73052b.tar.gz | |
trust: Rework input path treatment
* Accept a single --with-trust-paths argument to ./configure
which cotnains all the input paths.
* The --with-system-anchors and --with-system-certificates
./configure arguments are no longer supported. Since they were
only present briefly, no provision is made for backwards
compatibility.
* Each input file is treated as containing anchors by default
unless an input certificate contains detailed trust information.
* The files in each input directory are not automatically treated
as anchors unless a certificate contains detailed trust information.
* The files in anchors/ subdirectory of each input directory are
automatically marked as anchors.
* The files in the blacklist/ subdirectory of each input directory
are automatically marked as blacklisted.
* Update tests and move around test certificates so we can
test these changes.
https://bugs.freedesktop.org/show_bug.cgi?id=62327
Diffstat (limited to 'doc/manual/p11-kit-trust.xml')
| -rw-r--r-- | doc/manual/p11-kit-trust.xml | 61 |
1 files changed, 34 insertions, 27 deletions
diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml index 0e06446..06f168e 100644 --- a/doc/manual/p11-kit-trust.xml +++ b/doc/manual/p11-kit-trust.xml @@ -9,35 +9,16 @@ information is exposed as PKCS#11 objects.</para> <section id="trust-files"> - <title>Files loaded by the Module</title> + <title>Paths loaded by the Module</title> <para>The trust module loads certificates and trust policy information - from preconfigured directories and allows them to be looked up via - PKCS#11. The directories can be determined with using the following - commands:</para> + from preconfigured paths and allows them to be looked up via PKCS#11. + The input paths can be determined with using the following command:</para> - <itemizedlist> - <listitem> - <para>System Anchors: certificates in these locations - are automatically treated as certificate authority anchors - unless they contain information that prevents that. To check - which locations are being used, run the following command:</para> -<programlisting> -$ pkg-config --variable p11_system_anchors p11-kit-1 -/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors -</programlisting> - </listitem> - <listitem> - <para>System Certificates: certificates in these locations - are not treated as anchors, but simply made available through - the module. To find out which directory is used, run the - following command:</para> <programlisting> -$ pkg-config --variable p11_system_certificates p11-kit-1 -/etc/pki/tls/other-certs +$ pkg-config --variable p11_trust_paths p11-kit-1 +/usr/share/p11-kit/trust:/etc/pki/trust </programlisting> - </listitem> - </itemizedlist> <para>Files in the following formats are supported for loading by the trust policy module:</para> @@ -45,17 +26,43 @@ $ pkg-config --variable p11_system_certificates p11-kit-1 <variablelist> <varlistentry> <term>X.509 certificates</term> - <listitem><para>X.509 certificates in raw DER format.</para></listitem> + <listitem><para>X.509 certificates in raw DER format. Does not + automatically contain trust policy information.</para></listitem> + </varlistentry> + <varlistentry> + <term>PEM certificates</term> + <listitem><para>X.509 certificates in PEM format. These have a + <literal>BEGIN CERTIFICATE</literal> header. This file does not + automatically contain trust policy information.</para></listitem> </varlistentry> <varlistentry> <term>OpenSSL trust certificates</term> <listitem><para>OpenSSL specific certificates in PEM format that contain trust information. These have a - <literal>TRUSTED CERTIFICATE</literal> PEM header. Both - trust policy and blacklist information can be loaded + <literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both + trust anchor and blacklist information can be loaded from these files.</para></listitem> </varlistentry> </variablelist> + + <para>If the input path is a file, then it is loaded. Certificate(s) in the + file are automatically treated as anchors, unless they contain alternate + trust policy information.</para> + + <para>If the input path is a directory, files inside that directory are + parsed and loaded. If the file contains trust policy information (such as the + OpenSSL trust certificates) then it will be respected. Files without trust policy + information are not automatically marked as an anchor or blacklisted.</para> + + <para>In addition two optional subdirectories of the input path are loaded. Files + placed in the <literal>anchors/</literal> subdirectory become trust anchors + when they do not contain trust policy information. Files placed in the + <literal>blacklist/</literal> subdirectory are blacklisted whether they + contain trust information or not.</para> + + <para>The first input path becomes the first PKCS#11 token of the trust + module, and has the highest priority when callers search for trust + policy information.</para> </section> <section id="trust-nss"> |