blob: aeec16d3b294f402b694b570edd37eed4d833b02 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
<?xml version="1.0"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd" [
]>
<chapter xml:id="trust">
<title>Trust Policy Module</title>
<para>The trust module provides system certificate anchors, blacklists
and other trust policy to crypto libraries applications. This
information is exposed as PKCS#11 objects.</para>
<section id="trust-files">
<title>Files loaded by the Module</title>
<para>The trust module loads certificates and trust policy information
from preconfigured directories and allows them to be looked up via
PKCS#11. The directories can be determined with using the following
commands:</para>
<itemizedlist>
<listitem>
<para>System Anchors: certificates in these locations
are automatically treated as certificate authority anchors
unless they contain information that prevents that. To check
which locations are being used, run the following command:</para>
<programlisting>
$ pkg-config --variable p11_system_anchors p11-kit-1
/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/anchors
</programlisting>
</listitem>
<listitem>
<para>System Certificates: certificates in these locations
are not treated as anchors, but simply made available through
the module. To find out which directory is used, run the
following command:</para>
<programlisting>
$ pkg-config --variable p11_system_certificates p11-kit-1
/etc/pki/tls/other-certs
</programlisting>
</listitem>
</itemizedlist>
<para>Files in the following formats are supported for loading by the
trust policy module:</para>
<variablelist>
<varlistentry>
<term>X.509 certificates</term>
<listitem><para>X.509 certificates in raw DER format.</para></listitem>
</varlistentry>
<varlistentry>
<term>OpenSSL trust certificates</term>
<listitem><para>OpenSSL specific certificates in PEM format
that contain trust information. These have a
<literal>TRUSTED CERTIFICATE</literal> PEM header. Both
trust policy and blacklist information can be loaded
from these files.</para></listitem>
</varlistentry>
</variablelist>
</section>
<section id="trust-nss">
<title>Using the Trust Policy Module with NSS</title>
<para>The trust policy module is a drop in replacement for the
<literal>libnssckbi.so</literal> module and thus works out of
the box with NSS. The trust policy module provides NSS style
PKCS#11 trust objects for NSS to retrieve.</para>
<para>The module may be used to replace the
<literal>libnssckbi.so</literal> file via an distribution
specific alternatives mechanism or otherwise.</para>
<para>Alternatively NSS applications like Firefox or Thunderbird
may be configured to use the trust policy module by adding
the <literal>p11-kit-trust.so</literal> PKCS#11 module via their
GUI or command line configuration.</para>
</section>
<section id="trust-glib-networking">
<title>Using the Trust Policy Module with glib-networking</title>
<para>The trust policy module can be used as a source of trust
information for glib-networking's <literal>gnutls-pkcs11</literal> backend.
The module provides PKCS#11 trust assertion objects as expected.</para>
<para>The module should work by default if the <literal>gnutls-pkcs11</literal>
backend is selected as the glib-networking TLS backend.</para>
</section>
<section id="trust-disable">
<title>Disabling the Trust Policy Module</title>
<para>This module is installed and enabled by default. It may
be disabled in the following ways:</para>
<itemizedlist>
<listitem><para>Use the <option>--disable-trust-module</option>
during the <link linkend="devel-building-configure">p11-kit
build</link>.</para></listitem>
<listitem><para>Disable loading trust policy information
from this module by adding a file to <literal>/etc/pkcs11/modules</literal>
called <literal>p11-kit-trust.module</literal> containing a
<literal>trust-policy:</literal> line.</para></listitem>
<listitem><para>Disable this module completely by
adding a file to <literal>/etc/pkcs11/modules</literal>
called <literal>p11-kit-trust.module</literal> containing a
<literal>enable-in:</literal> line.</para></listitem>
</itemizedlist>
</section>
</chapter>
|
