source: postlfs/security/p11-kit.xml@ 60424b6

10.0 10.1 11.0 9.0 9.1 ken/refactor-virt lazarus qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 60424b6 was 60424b6, checked in by Pierre Labastie <pieere@…>, 2 years ago

Recommend make-ca (runtime) for p11-kit, since it is used in
update-ca-certificates. Plus change ln -s to ln -sfv

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21535 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 8.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.gz">
8 <!ENTITY p11-kit-download-ftp " ">
9 <!ENTITY p11-kit-md5sum "c4c3eecfe6bd6e62e436f62b51980749">
10 <!ENTITY p11-kit-size "1.2 MB">
11 <!ENTITY p11-kit-buildsize "46 MB (add 166 MB for tests)">
12 <!ENTITY p11-kit-time "0.4 SBU (add 0.6 SBU for tests)">
13]>
14
15<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
16 <?dbhtml filename="p11-kit.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>p11-kit-&p11-kit-version;</title>
24
25 <indexterm zone="p11-kit">
26 <primary sortas="a-p11-kit">p11-kit</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to p11-kit</title>
31
32 <para>
33 The <application>p11-kit</application> package provides a way to load and
34 enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
35 </para>
36
37 &lfs84_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&p11-kit-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &p11-kit-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &p11-kit-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &p11-kit-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &p11-kit-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
74
75 <bridgehead renderas="sect4">Recommended</bridgehead>
76 <para role="recommended">
77 <xref linkend="libtasn1"/> and
78 <xref role="runtime" linkend="make-ca"/> (runtime)
79 </para>
80
81 <bridgehead renderas="sect4">Optional</bridgehead>
82 <para role="optional">
83 <xref linkend="gtk-doc"/>,
84 <xref linkend="libxslt"/>, and
85 <xref role="runtime" linkend="nss"/> (runtime)
86 </para>
87
88 <para condition="html" role="usernotes">User Notes:
89 <ulink url="&blfs-wiki;/p11-kit"/>
90 </para>
91 </sect2>
92
93 <sect2 role="installation">
94 <title>Installation of p11-kit</title>
95
96 <para>Prepare the distribution specific anchor hook:</para>
97
98<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
99cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
100<literal># Copy existing anchor modifications to /etc/ssl/local
101/usr/libexec/make-ca/copy-trust-modifications
102
103# Generate a new trust store
104/usr/sbin/make-ca -f -g</literal>
105EOF</userinput></screen>
106
107 <para>
108 Install <application>p11-kit</application> by running the following
109 commands:
110 </para>
111
112<screen><userinput>./configure --prefix=/usr \
113 --sysconfdir=/etc \
114 --with-trust-paths=/etc/pki/anchors &amp;&amp;
115make</userinput></screen>
116
117 <para>
118 To test the results, issue: <command>make check</command>.
119 </para>
120
121 <para>
122 Now, as the <systemitem class="username">root</systemitem> user:
123 </para>
124
125<screen role="root"><userinput>make install &amp;&amp;
126ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
127 /usr/bin/update-ca-certificates</userinput></screen>
128
129 </sect2>
130
131 <sect2 role="commands">
132 <title>Command Explanations</title>
133
134 <para>
135 <parameter>--with-trust-paths=/etc/pki/anchors</parameter>: this switch
136 sets the location of trusted certificates used by libp11-kit.so.
137 </para>
138
139 <para>
140 <option>--with-hash-impl=freebl</option>: Use this switch if you want to
141 use the Freebl library from <application>NSS</application> for SHA1 and
142 MD5 hashing.
143 </para>
144
145 <para>
146 <option>--enable-doc</option>: Use this switch if you have installed
147 <xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
148 rebuild the documentation and generate manual pages.
149 </para>
150
151 </sect2>
152
153 <sect2 role="configuration">
154 <title>Configuring p11-kit</title>
155
156 <para>The <application>p11-kit</application> trust module
157 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
158 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
159 transparently make the system CAs available to
160 <application>NSS</application> aware applications, rather than the static
161 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
162 <systemitem class="username">root</systemitem> user, execute the following
163 commands:</para>
164
165<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
166
167 </sect2>
168
169 <sect2 role="content">
170 <title>Contents</title>
171
172 <segmentedlist>
173 <segtitle>Installed Programs</segtitle>
174 <segtitle>Installed Libraries</segtitle>
175 <segtitle>Installed Directories</segtitle>
176
177 <seglistitem>
178 <seg>
179 p11-kit and trust
180 </seg>
181 <seg>
182 libp11-kit.so and p11-kit-proxy.so
183 </seg>
184 <seg>
185 /etc/pkcs11,
186 /usr/include/p11-kit-1,
187 /usr/lib/{p11-kit,pkcs11},
188 /usr/share/gtk-doc/html/p11-kit, and
189 /usr/share/p11-kit
190 </seg>
191 </seglistitem>
192 </segmentedlist>
193
194 <variablelist>
195 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
196 <?dbfo list-presentation="list"?>
197 <?dbhtml list-presentation="table"?>
198
199 <varlistentry id="p11-kit-prog">
200 <term><command>p11-kit</command></term>
201 <listitem>
202 <para>
203 is a command line tool that can be used to perform operations
204 on PKCS#11 modules configured on the system.
205 </para>
206 <indexterm zone="p11-kit p11-kit-prog">
207 <primary sortas="b-p11-kit">p11-kit</primary>
208 </indexterm>
209 </listitem>
210 </varlistentry>
211
212 <varlistentry id="trust">
213 <term><command>trust</command></term>
214 <listitem>
215 <para>
216 is a command line tool to examine and modify the shared trust
217 policy store.
218 </para>
219 <indexterm zone="p11-kit trust">
220 <primary sortas="b-trust">trust</primary>
221 </indexterm>
222 </listitem>
223 </varlistentry>
224
225 <varlistentry id="update-ca-certificates">
226 <term><command>update-ca-certificates</command></term>
227 <listitem>
228 <para>
229 is a command line tool to both extract local certificates from an
230 upadated anchor store, and regenerate all anchors and certificate
231 stores on the system. This is done unconditionally on BLFS using
232 the <parameter>--force</parameter> and <parameter>--get</parameter>
233 flags to <command>make-ca</command> and should likely not be used
234 for automated updates.
235 </para>
236 <indexterm zone="p11-kit update-ca-certificates">
237 <primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
238 </indexterm>
239 </listitem>
240 </varlistentry>
241
242 <varlistentry id="libp11-kit">
243 <term><filename class="libraryfile">libp11-kit.so</filename></term>
244 <listitem>
245 <para>
246 contains functions used to coordinate initialization and
247 finalization of any PKCS#11 module.
248 </para>
249 <indexterm zone="p11-kit libp11-kit">
250 <primary sortas="c-libp11-kit">libp11-kit.so</primary>
251 </indexterm>
252 </listitem>
253 </varlistentry>
254
255 <varlistentry id="p11-kit-proxy">
256 <term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
257 <listitem>
258 <para>
259 is the PKCS#11 proxy module.
260 </para>
261 <indexterm zone="p11-kit p11-kit-proxy">
262 <primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
263 </indexterm>
264 </listitem>
265 </varlistentry>
266
267 </variablelist>
268
269 </sect2>
270
271</sect1>
Note: See TracBrowser for help on using the repository browser.