source: postlfs/security/p11-kit.xml@ 6914a417

10.0 10.1 11.0 11.1 9.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 6914a417 was 6914a417, checked in by Bruce Dubbs <bdubbs@…>, 3 years ago

Update to node.js-12.13.0.
Update to btrfs-progs-v5.3.
Update to p11-kit-0.23.18.1.
Update to libpwquality-1.4.1.
Update to gnutls-3.6.10.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22299 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 8.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.gz">
8 <!ENTITY p11-kit-download-ftp " ">
9 <!ENTITY p11-kit-md5sum "79480c3a2c905a74f86e885966148537">
10 <!ENTITY p11-kit-size "1.2 MB">
11 <!ENTITY p11-kit-buildsize "46 MB (add 169 MB for tests)">
12 <!ENTITY p11-kit-time "0.4 SBU (add 0.6 SBU for tests)">
13]>
14
15<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
16 <?dbhtml filename="p11-kit.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>p11-kit-&p11-kit-version;</title>
24
25 <indexterm zone="p11-kit">
26 <primary sortas="a-p11-kit">p11-kit</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to p11-kit</title>
31
32 <para>
33 The <application>p11-kit</application> package provides a way to load and
34 enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
35 </para>
36
37 &lfs90_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&p11-kit-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &p11-kit-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &p11-kit-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &p11-kit-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &p11-kit-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
74
75 <!-- There is a check for libsystemd. It seems to install a systemd service
76 in /usr/lib/systemd/user.-->
77 <bridgehead renderas="sect4">Recommended</bridgehead>
78 <para role="recommended">
79 <xref linkend="libtasn1"/> and
80 <xref role="runtime" linkend="make-ca"/> (runtime)
81 </para>
82
83 <bridgehead renderas="sect4">Optional</bridgehead>
84 <para role="optional">
85 <xref linkend="gtk-doc"/>,
86 <xref linkend="libxslt"/>, and
87 <xref role="runtime" linkend="nss"/> (runtime)
88 </para>
89
90 <para condition="html" role="usernotes">User Notes:
91 <ulink url="&blfs-wiki;/p11-kit"/>
92 </para>
93 </sect2>
94
95 <sect2 role="installation">
96 <title>Installation of p11-kit</title>
97
98 <para>Prepare the distribution specific anchor hook:</para>
99
100<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
101cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
102<literal># Copy existing anchor modifications to /etc/ssl/local
103/usr/libexec/make-ca/copy-trust-modifications
104
105# Generate a new trust store
106/usr/sbin/make-ca -f -g</literal>
107EOF</userinput></screen>
108
109 <para>
110 Install <application>p11-kit</application> by running the following
111 commands:
112 </para>
113
114<screen><userinput>./configure --prefix=/usr \
115 --sysconfdir=/etc \
116 --with-trust-paths=/etc/pki/anchors &amp;&amp;
117make</userinput></screen>
118
119 <para>
120 To test the results, issue: <command>make check</command>.
121 One test, /token/not-writable, is known to fail.
122 </para>
123
124 <para>
125 Now, as the <systemitem class="username">root</systemitem> user:
126 </para>
127
128<screen role="root"><userinput>make install &amp;&amp;
129ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
130 /usr/bin/update-ca-certificates</userinput></screen>
131
132 </sect2>
133
134 <sect2 role="commands">
135 <title>Command Explanations</title>
136
137 <para>
138 <parameter>--with-trust-paths=/etc/pki/anchors</parameter>: this switch
139 sets the location of trusted certificates used by libp11-kit.so.
140 </para>
141
142 <para>
143 <option>--with-hash-impl=freebl</option>: Use this switch if you want to
144 use the Freebl library from <application>NSS</application> for SHA1 and
145 MD5 hashing.
146 </para>
147
148 <para>
149 <option>--enable-doc</option>: Use this switch if you have installed
150 <xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
151 rebuild the documentation and generate manual pages.
152 </para>
153
154 </sect2>
155
156 <sect2 role="configuration">
157 <title>Configuring p11-kit</title>
158
159 <para>The <application>p11-kit</application> trust module
160 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
161 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
162 transparently make the system CAs available to
163 <application>NSS</application> aware applications, rather than the static
164 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
165 <systemitem class="username">root</systemitem> user, execute the following
166 commands:</para>
167
168<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
169
170 </sect2>
171
172 <sect2 role="content">
173 <title>Contents</title>
174
175 <segmentedlist>
176 <segtitle>Installed Programs</segtitle>
177 <segtitle>Installed Libraries</segtitle>
178 <segtitle>Installed Directories</segtitle>
179
180 <seglistitem>
181 <seg>
182 p11-kit, trust, and update-ca-certificates
183 </seg>
184 <seg>
185 libp11-kit.so and p11-kit-proxy.so
186 </seg>
187 <seg>
188 /etc/pkcs11,
189 /usr/include/p11-kit-1,
190 /usr/lib/pkcs11,
191 /usr/libexec/p11-kit,
192 /usr/share/gtk-doc/html/p11-kit, and
193 /usr/share/p11-kit
194 </seg>
195 </seglistitem>
196 </segmentedlist>
197
198 <variablelist>
199 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
200 <?dbfo list-presentation="list"?>
201 <?dbhtml list-presentation="table"?>
202
203 <varlistentry id="p11-kit-prog">
204 <term><command>p11-kit</command></term>
205 <listitem>
206 <para>
207 is a command line tool that can be used to perform operations
208 on PKCS#11 modules configured on the system.
209 </para>
210 <indexterm zone="p11-kit p11-kit-prog">
211 <primary sortas="b-p11-kit">p11-kit</primary>
212 </indexterm>
213 </listitem>
214 </varlistentry>
215
216 <varlistentry id="trust">
217 <term><command>trust</command></term>
218 <listitem>
219 <para>
220 is a command line tool to examine and modify the shared trust
221 policy store.
222 </para>
223 <indexterm zone="p11-kit trust">
224 <primary sortas="b-trust">trust</primary>
225 </indexterm>
226 </listitem>
227 </varlistentry>
228
229 <varlistentry id="update-ca-certificates">
230 <term><command>update-ca-certificates</command></term>
231 <listitem>
232 <para>
233 is a command line tool to both extract local certificates from an
234 updated anchor store, and regenerate all anchors and certificate
235 stores on the system. This is done unconditionally on BLFS using
236 the <parameter>--force</parameter> and <parameter>--get</parameter>
237 flags to <command>make-ca</command> and should likely not be used
238 for automated updates.
239 </para>
240 <indexterm zone="p11-kit update-ca-certificates">
241 <primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
242 </indexterm>
243 </listitem>
244 </varlistentry>
245
246 <varlistentry id="libp11-kit">
247 <term><filename class="libraryfile">libp11-kit.so</filename></term>
248 <listitem>
249 <para>
250 contains functions used to coordinate initialization and
251 finalization of any PKCS#11 module.
252 </para>
253 <indexterm zone="p11-kit libp11-kit">
254 <primary sortas="c-libp11-kit">libp11-kit.so</primary>
255 </indexterm>
256 </listitem>
257 </varlistentry>
258
259 <varlistentry id="p11-kit-proxy">
260 <term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
261 <listitem>
262 <para>
263 is the PKCS#11 proxy module.
264 </para>
265 <indexterm zone="p11-kit p11-kit-proxy">
266 <primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
267 </indexterm>
268 </listitem>
269 </varlistentry>
270
271 </variablelist>
272
273 </sect2>
274
275</sect1>
Note: See TracBrowser for help on using the repository browser.