source: postlfs/security/p11-kit.xml

trunk
Last change on this file was b9874725, checked in by Bruce Dubbs <bdubbs@…>, 2 months ago

Many tags.

Mostly Programming and Xorg sections and dependencies.
  • Property mode set to 100644
File size: 9.0 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.xz">
8 <!ENTITY p11-kit-download-ftp " ">
9 <!ENTITY p11-kit-md5sum "2610cef2951d83d7037577eaae1acb54">
10 <!ENTITY p11-kit-size "972 KB">
11 <!ENTITY p11-kit-buildsize "95 MB (with tests)">
12 <!ENTITY p11-kit-time "0.8 SBU (with tests)">
13]>
14
15<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
16 <?dbhtml filename="p11-kit.html"?>
17
18
19 <title>p11-kit-&p11-kit-version;</title>
20
21 <indexterm zone="p11-kit">
22 <primary sortas="a-p11-kit">p11-kit</primary>
23 </indexterm>
24
25 <sect2 role="package">
26 <title>Introduction to p11-kit</title>
27
28 <para>
29 The <application>p11-kit</application> package provides a way to load and
30 enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
31 </para>
32
33 &lfs121_checked;
34
35 <bridgehead renderas="sect3">Package Information</bridgehead>
36 <itemizedlist spacing="compact">
37 <listitem>
38 <para>
39 Download (HTTP): <ulink url="&p11-kit-download-http;"/>
40 </para>
41 </listitem>
42 <listitem>
43 <para>
44 Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
45 </para>
46 </listitem>
47 <listitem>
48 <para>
49 Download MD5 sum: &p11-kit-md5sum;
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download size: &p11-kit-size;
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Estimated disk space required: &p11-kit-buildsize;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Estimated build time: &p11-kit-time;
65 </para>
66 </listitem>
67 </itemizedlist>
68
69 <bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
70
71 <!-- There is a check for libsystemd. It seems to install a systemd service
72 in /usr/lib/systemd/user.-->
73 <bridgehead renderas="sect4">Recommended</bridgehead>
74 <para role="recommended">
75 <xref linkend="libtasn1"/>
76 </para>
77
78 <bridgehead renderas="sect4">Recommended (runtime)</bridgehead>
79 <para role="recommended">
80 <xref role="runtime" linkend="make-ca"/>
81 </para>
82
83 <bridgehead renderas="sect4">Optional</bridgehead>
84 <para role="optional">
85 <xref linkend="gtk-doc"/>,
86 <xref linkend="libxslt"/>, and
87 <xref role="runtime" linkend="nss"/> (runtime)
88 </para>
89
90 </sect2>
91
92 <sect2 role="installation">
93 <title>Installation of p11-kit</title>
94
95 <!-- https://github.com/p11-glue/p11-kit/pull/535
96 The issue causes test failures in glib-networking and libsoup
97 Fixed in version 0.25.1
98
99 <para>
100 Fix an issue causing some PKCS 11 modules fail to load:
101 </para>
102
103<screen><userinput>sed 's/if (gi/&amp; \&amp;\&amp; gi != C_GetInterface/' \
104 -i p11-kit/modules.c</userinput></screen>-->
105
106 <para>
107 Prepare the distribution specific anchor hook:
108 </para>
109
110<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat &amp;&amp;
111
112cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
113<literal># Copy existing anchor modifications to /etc/ssl/local
114/usr/libexec/make-ca/copy-trust-modifications
115
116# Update trust stores
117/usr/sbin/make-ca -r</literal>
118EOF</userinput></screen>
119
120 <para>
121 Install <application>p11-kit</application> by running the following
122 commands:
123 </para>
124
125<screen><userinput>mkdir p11-build &amp;&amp;
126cd p11-build &amp;&amp;
127
128meson setup .. \
129 --prefix=/usr \
130 --buildtype=release \
131 -Dtrust_paths=/etc/pki/anchors &amp;&amp;
132ninja</userinput></screen>
133
134 <para>
135 To test the results, issue: <command>LC_ALL=C ninja test</command>.
136 </para>
137
138 <para>
139 Now, as the <systemitem class="username">root</systemitem> user:
140 </para>
141
142<screen role="root"><userinput>ninja install &amp;&amp;
143ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
144 /usr/bin/update-ca-certificates</userinput></screen>
145
146 </sect2>
147
148 <sect2 role="commands">
149 <title>Command Explanations</title>
150
151 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
152 href="../../xincludes/meson-buildtype-release.xml"/>
153
154 <para>
155 <parameter>-Dtrust_paths=/etc/pki/anchors</parameter>: this switch
156 sets the location of trusted certificates used by libp11-kit.so.
157 </para>
158
159 <para>
160 <option>-Dhash_impl=freebl</option>: Use this switch if you want to
161 use the Freebl library from <application>NSS</application> for SHA1 and
162 MD5 hashing.
163 </para>
164
165 <para>
166 <option>-Dgtk_doc=true</option>: Use this switch if you have installed
167 <xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
168 rebuild the documentation and generate manual pages.
169 </para>
170
171 </sect2>
172
173 <sect2 role="configuration">
174 <title>Configuring p11-kit</title>
175
176 <para>
177 The <application>p11-kit</application> trust module
178 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
179 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
180 transparently make the system CAs available to
181 <application>NSS</application> aware applications, rather than the static
182 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
183 <systemitem class="username">root</systemitem> user, execute the
184 following commands:
185 </para>
186
187<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
188
189 </sect2>
190
191 <sect2 role="content">
192 <title>Contents</title>
193
194 <segmentedlist>
195 <segtitle>Installed Programs</segtitle>
196 <segtitle>Installed Libraries</segtitle>
197 <segtitle>Installed Directories</segtitle>
198
199 <seglistitem>
200 <seg>
201 p11-kit, trust, and update-ca-certificates
202 </seg>
203 <seg>
204 libp11-kit.so and p11-kit-proxy.so
205 </seg>
206 <seg>
207 /etc/pkcs11,
208 /usr/include/p11-kit-1,
209 /usr/lib/pkcs11,
210 /usr/libexec/p11-kit,
211 /usr/share/gtk-doc/html/p11-kit, and
212 /usr/share/p11-kit
213 </seg>
214 </seglistitem>
215 </segmentedlist>
216
217 <variablelist>
218 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
219 <?dbfo list-presentation="list"?>
220 <?dbhtml list-presentation="table"?>
221
222 <varlistentry id="p11-kit-prog">
223 <term><command>p11-kit</command></term>
224 <listitem>
225 <para>
226 is a command line tool that can be used to perform operations
227 on PKCS#11 modules configured on the system
228 </para>
229 <indexterm zone="p11-kit p11-kit-prog">
230 <primary sortas="b-p11-kit">p11-kit</primary>
231 </indexterm>
232 </listitem>
233 </varlistentry>
234
235 <varlistentry id="trust">
236 <term><command>trust</command></term>
237 <listitem>
238 <para>
239 is a command line tool to examine and modify the shared trust
240 policy store
241 </para>
242 <indexterm zone="p11-kit trust">
243 <primary sortas="b-trust">trust</primary>
244 </indexterm>
245 </listitem>
246 </varlistentry>
247
248 <varlistentry id="update-ca-certificates">
249 <term><command>update-ca-certificates</command></term>
250 <listitem>
251 <para>
252 is a command line tool to both extract local certificates from an
253 updated anchor store, and regenerate all anchors and certificate
254 stores on the system. This is done unconditionally on BLFS using
255 the <parameter>--force</parameter> and <parameter>--get</parameter>
256 flags to <command>make-ca</command> and should likely not be used
257 for automated updates
258 </para>
259 <indexterm zone="p11-kit update-ca-certificates">
260 <primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
261 </indexterm>
262 </listitem>
263 </varlistentry>
264
265 <varlistentry id="libp11-kit">
266 <term><filename class="libraryfile">libp11-kit.so</filename></term>
267 <listitem>
268 <para>
269 contains functions used to coordinate initialization and
270 finalization of any PKCS#11 module
271 </para>
272 <indexterm zone="p11-kit libp11-kit">
273 <primary sortas="c-libp11-kit">libp11-kit.so</primary>
274 </indexterm>
275 </listitem>
276 </varlistentry>
277
278 <varlistentry id="p11-kit-proxy">
279 <term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
280 <listitem>
281 <para>
282 is the PKCS#11 proxy module
283 </para>
284 <indexterm zone="p11-kit p11-kit-proxy">
285 <primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
286 </indexterm>
287 </listitem>
288 </varlistentry>
289
290 </variablelist>
291
292 </sect2>
293
294</sect1>
Note: See TracBrowser for help on using the repository browser.