summaryrefslogtreecommitdiff
path: root/doc/manual
diff options
context:
space:
mode:
authorStef Walter <stefw@gnome.org>2013-03-14 10:05:17 +0100
committerStef Walter <stefw@gnome.org>2013-03-15 17:19:01 +0100
commit86e60637394340ef2fa3b3db6b451dac1d73052b (patch)
tree8fa4f4c353534ffc259f9e333e64fbf7d068e913 /doc/manual
parentbf63f009cd4a1147a3e0684d898f140f46666b0e (diff)
trust: Rework input path treatment
* Accept a single --with-trust-paths argument to ./configure which cotnains all the input paths. * The --with-system-anchors and --with-system-certificates ./configure arguments are no longer supported. Since they were only present briefly, no provision is made for backwards compatibility. * Each input file is treated as containing anchors by default unless an input certificate contains detailed trust information. * The files in each input directory are not automatically treated as anchors unless a certificate contains detailed trust information. * The files in anchors/ subdirectory of each input directory are automatically marked as anchors. * The files in the blacklist/ subdirectory of each input directory are automatically marked as blacklisted. * Update tests and move around test certificates so we can test these changes. https://bugs.freedesktop.org/show_bug.cgi?id=62327
Diffstat (limited to 'doc/manual')
-rw-r--r--doc/manual/p11-kit-trust.xml61
1 files changed, 34 insertions, 27 deletions
diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml
index 0e06446..06f168e 100644
--- a/doc/manual/p11-kit-trust.xml
+++ b/doc/manual/p11-kit-trust.xml
@@ -9,35 +9,16 @@
information is exposed as PKCS#11 objects.</para>
<section id="trust-files">
- <title>Files loaded by the Module</title>
+ <title>Paths loaded by the Module</title>
<para>The trust module loads certificates and trust policy information
- from preconfigured directories and allows them to be looked up via
- PKCS#11. The directories can be determined with using the following
- commands:</para>
+ from preconfigured paths and allows them to be looked up via PKCS#11.
+ The input paths can be determined with using the following command:</para>
- <itemizedlist>
- <listitem>
- <para>System Anchors: certificates in these locations
- are automatically treated as certificate authority anchors
- unless they contain information that prevents that. To check
- which locations are being used, run the following command:</para>
-<programlisting>
-$ pkg-config --variable p11_system_anchors p11-kit-1
-/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
-</programlisting>
- </listitem>
- <listitem>
- <para>System Certificates: certificates in these locations
- are not treated as anchors, but simply made available through
- the module. To find out which directory is used, run the
- following command:</para>
<programlisting>
-$ pkg-config --variable p11_system_certificates p11-kit-1
-/etc/pki/tls/other-certs
+$ pkg-config --variable p11_trust_paths p11-kit-1
+/usr/share/p11-kit/trust:/etc/pki/trust
</programlisting>
- </listitem>
- </itemizedlist>
<para>Files in the following formats are supported for loading by the
trust policy module:</para>
@@ -45,17 +26,43 @@ $ pkg-config --variable p11_system_certificates p11-kit-1
<variablelist>
<varlistentry>
<term>X.509 certificates</term>
- <listitem><para>X.509 certificates in raw DER format.</para></listitem>
+ <listitem><para>X.509 certificates in raw DER format. Does not
+ automatically contain trust policy information.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PEM certificates</term>
+ <listitem><para>X.509 certificates in PEM format. These have a
+ <literal>BEGIN CERTIFICATE</literal> header. This file does not
+ automatically contain trust policy information.</para></listitem>
</varlistentry>
<varlistentry>
<term>OpenSSL trust certificates</term>
<listitem><para>OpenSSL specific certificates in PEM format
that contain trust information. These have a
- <literal>TRUSTED CERTIFICATE</literal> PEM header. Both
- trust policy and blacklist information can be loaded
+ <literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both
+ trust anchor and blacklist information can be loaded
from these files.</para></listitem>
</varlistentry>
</variablelist>
+
+ <para>If the input path is a file, then it is loaded. Certificate(s) in the
+ file are automatically treated as anchors, unless they contain alternate
+ trust policy information.</para>
+
+ <para>If the input path is a directory, files inside that directory are
+ parsed and loaded. If the file contains trust policy information (such as the
+ OpenSSL trust certificates) then it will be respected. Files without trust policy
+ information are not automatically marked as an anchor or blacklisted.</para>
+
+ <para>In addition two optional subdirectories of the input path are loaded. Files
+ placed in the <literal>anchors/</literal> subdirectory become trust anchors
+ when they do not contain trust policy information. Files placed in the
+ <literal>blacklist/</literal> subdirectory are blacklisted whether they
+ contain trust information or not.</para>
+
+ <para>The first input path becomes the first PKCS#11 token of the trust
+ module, and has the highest priority when callers search for trust
+ policy information.</para>
</section>
<section id="trust-nss">