summaryrefslogtreecommitdiff
path: root/doc/manual/pkcs11.conf.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/manual/pkcs11.conf.xml')
-rw-r--r--doc/manual/pkcs11.conf.xml281
1 files changed, 0 insertions, 281 deletions
diff --git a/doc/manual/pkcs11.conf.xml b/doc/manual/pkcs11.conf.xml
deleted file mode 100644
index ffd89a5..0000000
--- a/doc/manual/pkcs11.conf.xml
+++ /dev/null
@@ -1,281 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
- "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
-[
- <!ENTITY sysdir SYSTEM "sysdir.xml">
- <!ENTITY userdir SYSTEM "userdir.xml">
-]>
-
-<refentry id="pkcs11-conf">
-
-<refentryinfo>
- <title>pkcs11.conf</title>
- <productname>p11-kit</productname>
- <authorgroup>
- <author>
- <contrib>Maintainer</contrib>
- <firstname>Stef</firstname>
- <surname>Walter</surname>
- <email>stef@thewalter.net</email>
- </author>
- </authorgroup>
-</refentryinfo>
-
-<refmeta>
- <refentrytitle>pkcs11.conf</refentrytitle>
- <manvolnum>5</manvolnum>
- <refmiscinfo class="manual">System Files</refmiscinfo>
-</refmeta>
-
-<refnamediv>
- <refname>pkcs11.conf</refname>
- <refpurpose>Configuration files for PKCS#11 modules</refpurpose>
-</refnamediv>
-
-<refsect1 id="pkcs11-conf-description">
- <title>Description</title>
- <para>The <command>pkcs11.conf</command> configuration files are a standard
- way to configure PKCS#11 modules.</para>
-</refsect1>
-
-<refsect1 id="config-format">
- <title>File format</title>
- <para>A complete configuration consists of several files. These files are
- text files. Since <literal>p11-kit</literal> is built to be used in all
- sorts of environments and at very low levels of the software stack, we
- cannot make use of high level configuration APIs that you may find on a
- modern desktop.</para>
-
- <para>Each setting in the config file is specified consists of a name and
- a value. The name is a simple string consisting of characters and dashes.
- The name consists of alpha numeric characters, dot, hyphen and
- underscore.</para>
-
- <para>The value is specified after the name on the same line, separated
- from it by a <literal>:</literal> (colon). White space between the
- name and value is ignored.</para>
-
- <para>Blank lines are ignored. White space at the beginning or end of
- lines is stripped. Lines that begin with a <literal>#</literal> character
- are ignored as comments. Comments are not recognized when they come after
- a value on a line.</para>
-
- <para>A fictitious module configuration file might look like:</para>
-<programlisting>
-module: module.so
-# Here is a comment
-
-managed: true
-setting.2: A long value with text.
-x-custom : text
-</programlisting>
-</refsect1>
-
-<refsect1 id="config-module">
- <title>Module Configuration</title>
-
- <para>Each configured PKCS#11 module has its own config file. These files
- can be <link linkend="config-locations">placed in various locations</link>.</para>
- <para>The filename of the configuration file may consist of upper and lowercase letters
- underscore, comma, dash and dots. The first characters needs to be an alphanumeric,
- the filename should end with a <literal>.module</literal> extension.</para>
- <para>Most importantly each config file specifies the path of the PKCS#11 module to
- load. A module config file has the following fields:</para>
-
- <variablelist>
- <varlistentry>
- <term><option>module:</option></term>
- <listitem>
- <para>The filename of the PKCS#11 module to load.
- This should include an extension like <literal>.so</literal></para>
- <para>If this value is blank, then the module will be ignored.
- This can be used in the user configs to override loading of a module
- specified in the system configuration.</para>
-
- <para>If this is a relative path, then the module will be loaded
- from the <link linkend="devel-paths-modules">default module directory</link>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>critical:</option></term>
- <listitem>
- <para>Set to <literal>yes</literal> if the module is critical and
- required to load. If a critical module fails to load or initialize,
- then the loading process for all registered modules will abort and
- return an error code.</para>
-
- <para>This argument is optional and defaults to <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>enable-in:</option></term>
- <listitem>
- <para>A comma and/or space separated list of names of programs that
- this module should only be loaded in. The module will not be loaded
- for other programs using p11-kit. The base name of the process executable
- should be used here, for example
- <literal>seahorse, ssh</literal>.</para>
- <para>This is not a security feature. The argument is optional. If
- not present, then any process will load the module.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>disable-in:</option></term>
- <listitem>
- <para>A comma and/or space separated list of names of programs that
- this module should not be loaded in. The module will be loaded for any
- other programs using p11-kit. The base name of the process
- executable should be used here, for example
- <literal>firefox, thunderbird-bin</literal>.</para>
- <para>This is not a security feature. The argument is optional. If
- not present, then any process will load the module.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>managed:</option></term>
- <listitem>
- <para>Set to <literal>no</literal> if the module is not to be managed by
- p11-kit. Making a module unmanaged is not recommended, and will cause
- problems if multiple callers in a single process share a PKCS#11 module.</para>
-
- <para>This argument is optional and defaults to <literal>yes</literal>.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>priority:</option></term>
- <listitem>
- <para>The value should be an integer. When lists of modules are
- returned to a caller of p11-kit, modules with a higher number are sorted
- first. When applications search modules for certificates, keys and
- trust policy information, this setting will affect what find
- first.</para>
- <para>This argument is optional, and defaults to zero. Modules
- with the same <option>priority</option> option will be sorted
- alphabetically.</para>
- </listitem>
- </varlistentry>
- <varlistentry id="option-remote">
- <term><option>remote:</option></term>
- <listitem>
- <para>Instead of loading the PKCS#11 module locally, run the module
- remotely.</para>
- <para>Specify a command to run, prefixed with <literal>|</literal> a pipe.
- The command must speak the p11-kit remoting protocol on its standard in
- and standard out. For example:</para>
-<programlisting>
-remote: |ssh user@remote p11-kit remote /path/to/module.so
-</programlisting>
- <para>Other forms of remoting will appear in later p11-kit releases.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term><option>trust-policy:</option></term>
- <listitem>
- <para>Set to <literal>yes</literal> to use use this module as a source
- of trust policy information such as certificate anchors and black lists.</para>
- </listitem>
- </varlistentry>
- <varlistentry id="option-log-calls">
- <term>log-calls:</term>
- <listitem>
- <para>Set to <literal>yes</literal> to write a log to stderr of all the
- calls into the module. This is only supported for managed modules.</para>
-
- <para>This argument is optional and defaults to <literal>no</literal>.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>Do not specify both <literal>enable-in</literal> and <literal>disable-in</literal>
- for the same module.</para>
-
- <para>Other fields may be present, but it is recommended that field names
- that are not specified in this document start with a <literal>x-</literal>
- prefix.</para>
-</refsect1>
-
-<refsect1 id="config-global">
- <title>Global Configuration</title>
-
- <para>A global configuration may also be present. This file contains settings
- that are not related to a single PKCS#11 module. The location(s) of the
- global configuration are described below. The global configuration file
- can contain the following fields:</para>
-
- <variablelist>
- <varlistentry>
- <term><option>user-config:</option></term>
- <listitem><para>This will be equal to one of the following values:
- <literal>none</literal>, <literal>merge</literal>,
- <literal>only</literal>.</para></listitem>
- </varlistentry>
- <varlistentry>
- <term><option>managed:</option></term>
- <listitem>
- <para>Set to <literal>yes</literal> or <literal>no</literal> to
- force all modules to be managed or unmanaged by p11-kit. Setting this
- setting in a global configuration file will override the
- <literal>managed</literal> setting in the individual module configuration
- files. Making modules unmanaged is not recommended, and will cause
- problems if multiple callers in a single process share a PKCS#11
- module.</para>
-
- <para>This argument is optional.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>log-calls:</term>
- <listitem>
- <para>Set to <literal>yes</literal> to write a log to stderr of all the
- calls into all configured modules. This is only supported for managed
- modules.</para>
-
- <para>This argument is optional.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>Other fields may be present, but it is recommended that field names
- that are not specified in this document start with a <literal>x-</literal>
- prefix.</para>
-</refsect1>
-
-<refsect1 id="config-locations">
- <title>Configuration Files</title>
-
- <para>Each configured PKCS#11 module has its own config file. These
- files are placed in a directory. In addition a global config file exists.
- There is a system configuration consisting of the various module config
- files and a file for global configuration. Optionally each user can provide
- additional configuration or override the system configuration.</para>
-
- <para>The system global configuration file is usually in
- <literal>&sysdir;/pkcs11.conf</literal> and the user global
- configuration file is in <literal>&userdir;/pkcs11.conf</literal> in the
- user's home directory.</para>
-
- <para>The module config files are usually located in the
- <literal>&sysdir;/modules</literal> directory, with one configuration
- file per module. In addition the <literal>&userdir;/modules</literal> directory
- can be used for modules installed by the user.</para>
-
- <para>Note that user configuration files are not loaded from the home
- directory if running inside a setuid or setgid program.</para>
-
- <para>The default system config file and module directory can be changed
- when building p11-kit. Always
- <link linkend="devel-paths">lookup these paths</link> using
- <literal>pkg-config</literal>.</para>
-</refsect1>
-
-<refsect1 id="pkcs11-conf-see-also">
- <title>See also</title>
- <simplelist type="inline">
- <member><citerefentry><refentrytitle>p11-kit</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
- </simplelist>
- <para>Further details available in the p11-kit online documentation at
- <ulink url="http://p11-glue.freedesktop.org/doc/p11-kit/">http://p11-glue.freedesktop.org/doc/p11-kit/</ulink>.
- </para>
-</refsect1>
-
-</refentry>
View Lorry Controller Status