From 86e60637394340ef2fa3b3db6b451dac1d73052b Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Thu, 14 Mar 2013 10:05:17 +0100
Subject: trust: Rework input path treatment

 * Accept a single --with-trust-paths argument to ./configure
   which cotnains all the input paths.
 * The --with-system-anchors and --with-system-certificates
   ./configure arguments are no longer supported. Since they were
   only present briefly, no provision is made for backwards
   compatibility.
 * Each input file is treated as containing anchors by default
   unless an input certificate contains detailed trust information.
 * The files in each input directory are not automatically treated
   as anchors unless a certificate contains detailed trust information.
 * The files in anchors/ subdirectory of each input directory are
   automatically marked as anchors.
 * The files in the blacklist/ subdirectory of each input directory
   are automatically marked as blacklisted.
 * Update tests and move around test certificates so we can
   test these changes.

https://bugs.freedesktop.org/show_bug.cgi?id=62327
---
 doc/manual/p11-kit-trust.xml | 61 ++++++++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 27 deletions(-)

(limited to 'doc/manual')

diff --git a/doc/manual/p11-kit-trust.xml b/doc/manual/p11-kit-trust.xml
index 0e06446..06f168e 100644
--- a/doc/manual/p11-kit-trust.xml
+++ b/doc/manual/p11-kit-trust.xml
@@ -9,35 +9,16 @@
 	information is exposed as PKCS#11 objects.</para>
 
 <section id="trust-files">
-	<title>Files loaded by the Module</title>
+	<title>Paths loaded by the Module</title>
 
 	<para>The trust module loads certificates and trust policy information
-	from preconfigured directories and allows them to be looked up via
-	PKCS#11. The directories can be determined with using the following
-	commands:</para>
+	from preconfigured paths and allows them to be looked up via PKCS#11.
+	The input paths can be determined with using the following command:</para>
 
-	<itemizedlist>
-		<listitem>
-		<para>System Anchors: certificates in these locations
-		are automatically treated as certificate authority anchors
-		unless they contain information that prevents that. To check
-		which locations are being used, run the following command:</para>
-<programlisting>
-$ pkg-config --variable p11_system_anchors p11-kit-1
-/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
-</programlisting>
-		</listitem>
-		<listitem>
-		<para>System Certificates: certificates in these locations
-		are not treated as anchors, but simply made available through
-		the module. To find out which directory is used, run the
-		following command:</para>
 <programlisting>
-$ pkg-config --variable p11_system_certificates p11-kit-1
-/etc/pki/tls/other-certs
+$ pkg-config --variable p11_trust_paths p11-kit-1
+/usr/share/p11-kit/trust:/etc/pki/trust
 </programlisting>
-		</listitem>
-	</itemizedlist>
 
 	<para>Files in the following formats are supported for loading by the
 	trust policy module:</para>
@@ -45,17 +26,43 @@ $ pkg-config --variable p11_system_certificates p11-kit-1
 	<variablelist>
 		<varlistentry>
 			<term>X.509 certificates</term>
-			<listitem><para>X.509 certificates in raw DER format.</para></listitem>
+			<listitem><para>X.509 certificates in raw DER format. Does not
+			automatically contain trust policy information.</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>PEM certificates</term>
+			<listitem><para>X.509 certificates in PEM format. These have a
+			<literal>BEGIN CERTIFICATE</literal> header. This file does not
+			automatically contain trust policy information.</para></listitem>
 		</varlistentry>
 		<varlistentry>
 			<term>OpenSSL trust certificates</term>
 			<listitem><para>OpenSSL specific certificates in PEM format
 			that contain trust information. These have a
-			<literal>TRUSTED CERTIFICATE</literal> PEM header. Both
-			trust policy and blacklist information can be loaded
+			<literal>BEGIN TRUSTED CERTIFICATE</literal> PEM header. Both
+			trust anchor and blacklist information can be loaded
 			from these files.</para></listitem>
 		</varlistentry>
 	</variablelist>
+
+	<para>If the input path is a file, then it is loaded. Certificate(s) in the
+	file are automatically treated as anchors, unless they contain alternate
+	trust policy information.</para>
+
+	<para>If the input path is a directory, files inside that directory are
+	parsed and loaded. If the file contains trust policy information (such as the
+	OpenSSL trust certificates) then it will be respected. Files without trust policy
+	information are not automatically marked as an anchor or blacklisted.</para>
+
+	<para>In addition two optional subdirectories of the input path are loaded. Files
+	placed in the <literal>anchors/</literal> subdirectory become trust anchors
+	when they do not contain trust policy information. Files placed in the
+	<literal>blacklist/</literal> subdirectory are blacklisted whether they
+	contain trust information or not.</para>
+
+	<para>The first input path becomes the first PKCS#11 token of the trust
+	module, and has the highest priority when callers search for trust
+	policy information.</para>
 </section>
 
 <section id="trust-nss">
-- 
cgit v1.1