source: postlfs/security/p11-kit.xml@ b5f0edd

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 9.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since b5f0edd was b5f0edd, checked in by Xi Ruoyao <xry111@…>, 4 years ago

p11-kit: do not test as root

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22626 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 8.6 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.xz">
8 <!ENTITY p11-kit-download-ftp " ">
9 <!ENTITY p11-kit-md5sum "c9b3076475c6a57ca62005c43e77cd64">
10 <!ENTITY p11-kit-size "804 KB">
11 <!ENTITY p11-kit-buildsize "46 MB (add 169 MB for tests)">
12 <!ENTITY p11-kit-time "0.4 SBU (add 0.6 SBU for tests)">
13]>
14
15<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
16 <?dbhtml filename="p11-kit.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>p11-kit-&p11-kit-version;</title>
24
25 <indexterm zone="p11-kit">
26 <primary sortas="a-p11-kit">p11-kit</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to p11-kit</title>
31
32 <para>
33 The <application>p11-kit</application> package provides a way to load and
34 enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
35 </para>
36
37 &lfs90_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&p11-kit-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &p11-kit-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &p11-kit-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &p11-kit-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &p11-kit-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
74
75 <!-- There is a check for libsystemd. It seems to install a systemd service
76 in /usr/lib/systemd/user.-->
77 <bridgehead renderas="sect4">Recommended</bridgehead>
78 <para role="recommended">
79 <xref linkend="libtasn1"/> and
80 <xref role="runtime" linkend="make-ca"/> (runtime)
81 </para>
82
83 <bridgehead renderas="sect4">Optional</bridgehead>
84 <para role="optional">
85 <xref linkend="gtk-doc"/>,
86 <xref linkend="libxslt"/>, and
87 <xref role="runtime" linkend="nss"/> (runtime)
88 </para>
89
90 <para condition="html" role="usernotes">User Notes:
91 <ulink url="&blfs-wiki;/p11-kit"/>
92 </para>
93 </sect2>
94
95 <sect2 role="installation">
96 <title>Installation of p11-kit</title>
97
98 <para>Prepare the distribution specific anchor hook:</para>
99
100<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat.in &amp;&amp;
101cat &gt;&gt; trust/trust-extract-compat.in &lt;&lt; "EOF"
102<literal># Copy existing anchor modifications to /etc/ssl/local
103/usr/libexec/make-ca/copy-trust-modifications
104
105# Generate a new trust store
106/usr/sbin/make-ca -f -g</literal>
107EOF</userinput></screen>
108
109 <para>
110 Install <application>p11-kit</application> by running the following
111 commands:
112 </para>
113
114<screen><userinput>./configure --prefix=/usr \
115 --sysconfdir=/etc \
116 --with-trust-paths=/etc/pki/anchors &amp;&amp;
117make</userinput></screen>
118
119 <para>
120 To test the results, issue: <command>make check</command>.
121 Many tests will fail if the test suite is run as the
122 <systemitem class="username"> root</systemitem> user.
123 </para>
124
125 <para>
126 Now, as the <systemitem class="username">root</systemitem> user:
127 </para>
128
129<screen role="root"><userinput>make install &amp;&amp;
130ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
131 /usr/bin/update-ca-certificates</userinput></screen>
132
133 </sect2>
134
135 <sect2 role="commands">
136 <title>Command Explanations</title>
137
138 <para>
139 <parameter>--with-trust-paths=/etc/pki/anchors</parameter>: this switch
140 sets the location of trusted certificates used by libp11-kit.so.
141 </para>
142
143 <para>
144 <option>--with-hash-impl=freebl</option>: Use this switch if you want to
145 use the Freebl library from <application>NSS</application> for SHA1 and
146 MD5 hashing.
147 </para>
148
149 <para>
150 <option>--enable-doc</option>: Use this switch if you have installed
151 <xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
152 rebuild the documentation and generate manual pages.
153 </para>
154
155 </sect2>
156
157 <sect2 role="configuration">
158 <title>Configuring p11-kit</title>
159
160 <para>The <application>p11-kit</application> trust module
161 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
162 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
163 transparently make the system CAs available to
164 <application>NSS</application> aware applications, rather than the static
165 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
166 <systemitem class="username">root</systemitem> user, execute the following
167 commands:</para>
168
169<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
170
171 </sect2>
172
173 <sect2 role="content">
174 <title>Contents</title>
175
176 <segmentedlist>
177 <segtitle>Installed Programs</segtitle>
178 <segtitle>Installed Libraries</segtitle>
179 <segtitle>Installed Directories</segtitle>
180
181 <seglistitem>
182 <seg>
183 p11-kit, trust, and update-ca-certificates
184 </seg>
185 <seg>
186 libp11-kit.so and p11-kit-proxy.so
187 </seg>
188 <seg>
189 /etc/pkcs11,
190 /usr/include/p11-kit-1,
191 /usr/lib/pkcs11,
192 /usr/libexec/p11-kit,
193 /usr/share/gtk-doc/html/p11-kit, and
194 /usr/share/p11-kit
195 </seg>
196 </seglistitem>
197 </segmentedlist>
198
199 <variablelist>
200 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
201 <?dbfo list-presentation="list"?>
202 <?dbhtml list-presentation="table"?>
203
204 <varlistentry id="p11-kit-prog">
205 <term><command>p11-kit</command></term>
206 <listitem>
207 <para>
208 is a command line tool that can be used to perform operations
209 on PKCS#11 modules configured on the system.
210 </para>
211 <indexterm zone="p11-kit p11-kit-prog">
212 <primary sortas="b-p11-kit">p11-kit</primary>
213 </indexterm>
214 </listitem>
215 </varlistentry>
216
217 <varlistentry id="trust">
218 <term><command>trust</command></term>
219 <listitem>
220 <para>
221 is a command line tool to examine and modify the shared trust
222 policy store.
223 </para>
224 <indexterm zone="p11-kit trust">
225 <primary sortas="b-trust">trust</primary>
226 </indexterm>
227 </listitem>
228 </varlistentry>
229
230 <varlistentry id="update-ca-certificates">
231 <term><command>update-ca-certificates</command></term>
232 <listitem>
233 <para>
234 is a command line tool to both extract local certificates from an
235 updated anchor store, and regenerate all anchors and certificate
236 stores on the system. This is done unconditionally on BLFS using
237 the <parameter>--force</parameter> and <parameter>--get</parameter>
238 flags to <command>make-ca</command> and should likely not be used
239 for automated updates.
240 </para>
241 <indexterm zone="p11-kit update-ca-certificates">
242 <primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
243 </indexterm>
244 </listitem>
245 </varlistentry>
246
247 <varlistentry id="libp11-kit">
248 <term><filename class="libraryfile">libp11-kit.so</filename></term>
249 <listitem>
250 <para>
251 contains functions used to coordinate initialization and
252 finalization of any PKCS#11 module.
253 </para>
254 <indexterm zone="p11-kit libp11-kit">
255 <primary sortas="c-libp11-kit">libp11-kit.so</primary>
256 </indexterm>
257 </listitem>
258 </varlistentry>
259
260 <varlistentry id="p11-kit-proxy">
261 <term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
262 <listitem>
263 <para>
264 is the PKCS#11 proxy module.
265 </para>
266 <indexterm zone="p11-kit p11-kit-proxy">
267 <primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
268 </indexterm>
269 </listitem>
270 </varlistentry>
271
272 </variablelist>
273
274 </sect2>
275
276</sect1>
Note: See TracBrowser for help on using the repository browser.