source: postlfs/security/p11-kit.xml@ ee01972

12.1 ken/TL2024 ken/tuningfonts lazarus plabs/newcss python3.11 rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18
Last change on this file since ee01972 was e440af5, checked in by Pierre Labastie <pierre.labastie@…>, 9 months ago

Remove trailing spaces and a few typos
  • Property mode set to 100644
File size: 8.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.xz">
8 <!ENTITY p11-kit-download-ftp " ">
9 <!ENTITY p11-kit-md5sum "9fcb1ec80b5d083dd9b34122fa7c3c23">
10 <!ENTITY p11-kit-size "940 KB">
11 <!ENTITY p11-kit-buildsize "90 MB (with tests)">
12 <!ENTITY p11-kit-time "0.6 SBU (with tests)">
13]>
14
15<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
16 <?dbhtml filename="p11-kit.html"?>
17
18
19 <title>p11-kit-&p11-kit-version;</title>
20
21 <indexterm zone="p11-kit">
22 <primary sortas="a-p11-kit">p11-kit</primary>
23 </indexterm>
24
25 <sect2 role="package">
26 <title>Introduction to p11-kit</title>
27
28 <para>
29 The <application>p11-kit</application> package provides a way to load and
30 enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
31 </para>
32
33 &lfs120_checked;
34
35 <bridgehead renderas="sect3">Package Information</bridgehead>
36 <itemizedlist spacing="compact">
37 <listitem>
38 <para>
39 Download (HTTP): <ulink url="&p11-kit-download-http;"/>
40 </para>
41 </listitem>
42 <listitem>
43 <para>
44 Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
45 </para>
46 </listitem>
47 <listitem>
48 <para>
49 Download MD5 sum: &p11-kit-md5sum;
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download size: &p11-kit-size;
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Estimated disk space required: &p11-kit-buildsize;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Estimated build time: &p11-kit-time;
65 </para>
66 </listitem>
67 </itemizedlist>
68
69 <bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
70
71 <!-- There is a check for libsystemd. It seems to install a systemd service
72 in /usr/lib/systemd/user.-->
73 <bridgehead renderas="sect4">Recommended</bridgehead>
74 <para role="recommended">
75 <xref linkend="libtasn1"/>
76 </para>
77
78 <bridgehead renderas="sect4">Recommended (runtime)</bridgehead>
79 <para role="recommended">
80 <xref role="runtime" linkend="make-ca"/>
81 </para>
82
83 <bridgehead renderas="sect4">Optional</bridgehead>
84 <para role="optional">
85 <xref linkend="gtk-doc"/>,
86 <xref linkend="libxslt"/>, and
87 <xref role="runtime" linkend="nss"/> (runtime)
88 </para>
89
90 </sect2>
91
92 <sect2 role="installation">
93 <title>Installation of p11-kit</title>
94
95 <!-- https://github.com/p11-glue/p11-kit/pull/535
96 The issue causes test failures in glib-networking and libsoup -->
97 <para>
98 Fix an issue causing some PKCS 11 modules fail to load:
99 </para>
100
101<screen><userinput>sed 's/if (gi/&amp; \&amp;\&amp; gi != C_GetInterface/' \
102 -i p11-kit/modules.c</userinput></screen>
103
104
105 <para>
106 Prepare the distribution specific anchor hook:
107 </para>
108
109<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat &amp;&amp;
110cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
111<literal># Copy existing anchor modifications to /etc/ssl/local
112/usr/libexec/make-ca/copy-trust-modifications
113
114# Update trust stores
115/usr/sbin/make-ca -r</literal>
116EOF</userinput></screen>
117
118 <para>
119 Install <application>p11-kit</application> by running the following
120 commands:
121 </para>
122
123<screen><userinput>mkdir p11-build &amp;&amp;
124cd p11-build &amp;&amp;
125
126meson setup .. \
127 --prefix=/usr \
128 --buildtype=release \
129 -Dtrust_paths=/etc/pki/anchors &amp;&amp;
130ninja</userinput></screen>
131
132 <para>
133 To test the results, issue: <command>ninja test</command>.
134 </para>
135
136 <para>
137 Now, as the <systemitem class="username">root</systemitem> user:
138 </para>
139
140<screen role="root"><userinput>ninja install &amp;&amp;
141ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
142 /usr/bin/update-ca-certificates</userinput></screen>
143
144 </sect2>
145
146 <sect2 role="commands">
147 <title>Command Explanations</title>
148
149 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
150 href="../../xincludes/meson-buildtype-release.xml"/>
151
152 <para>
153 <parameter>-Dtrust_paths=/etc/pki/anchors</parameter>: this switch
154 sets the location of trusted certificates used by libp11-kit.so.
155 </para>
156
157 <para>
158 <option>-Dhash_impl=freebl</option>: Use this switch if you want to
159 use the Freebl library from <application>NSS</application> for SHA1 and
160 MD5 hashing.
161 </para>
162
163 <para>
164 <option>-Dgtk_doc=true</option>: Use this switch if you have installed
165 <xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
166 rebuild the documentation and generate manual pages.
167 </para>
168
169 </sect2>
170
171 <sect2 role="configuration">
172 <title>Configuring p11-kit</title>
173
174 <para>
175 The <application>p11-kit</application> trust module
176 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
177 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
178 transparently make the system CAs available to
179 <application>NSS</application> aware applications, rather than the static
180 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
181 <systemitem class="username">root</systemitem> user, execute the
182 following commands:
183 </para>
184
185<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
186
187 </sect2>
188
189 <sect2 role="content">
190 <title>Contents</title>
191
192 <segmentedlist>
193 <segtitle>Installed Programs</segtitle>
194 <segtitle>Installed Libraries</segtitle>
195 <segtitle>Installed Directories</segtitle>
196
197 <seglistitem>
198 <seg>
199 p11-kit, trust, and update-ca-certificates
200 </seg>
201 <seg>
202 libp11-kit.so and p11-kit-proxy.so
203 </seg>
204 <seg>
205 /etc/pkcs11,
206 /usr/include/p11-kit-1,
207 /usr/lib/pkcs11,
208 /usr/libexec/p11-kit,
209 /usr/share/gtk-doc/html/p11-kit, and
210 /usr/share/p11-kit
211 </seg>
212 </seglistitem>
213 </segmentedlist>
214
215 <variablelist>
216 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
217 <?dbfo list-presentation="list"?>
218 <?dbhtml list-presentation="table"?>
219
220 <varlistentry id="p11-kit-prog">
221 <term><command>p11-kit</command></term>
222 <listitem>
223 <para>
224 is a command line tool that can be used to perform operations
225 on PKCS#11 modules configured on the system
226 </para>
227 <indexterm zone="p11-kit p11-kit-prog">
228 <primary sortas="b-p11-kit">p11-kit</primary>
229 </indexterm>
230 </listitem>
231 </varlistentry>
232
233 <varlistentry id="trust">
234 <term><command>trust</command></term>
235 <listitem>
236 <para>
237 is a command line tool to examine and modify the shared trust
238 policy store
239 </para>
240 <indexterm zone="p11-kit trust">
241 <primary sortas="b-trust">trust</primary>
242 </indexterm>
243 </listitem>
244 </varlistentry>
245
246 <varlistentry id="update-ca-certificates">
247 <term><command>update-ca-certificates</command></term>
248 <listitem>
249 <para>
250 is a command line tool to both extract local certificates from an
251 updated anchor store, and regenerate all anchors and certificate
252 stores on the system. This is done unconditionally on BLFS using
253 the <parameter>--force</parameter> and <parameter>--get</parameter>
254 flags to <command>make-ca</command> and should likely not be used
255 for automated updates
256 </para>
257 <indexterm zone="p11-kit update-ca-certificates">
258 <primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
259 </indexterm>
260 </listitem>
261 </varlistentry>
262
263 <varlistentry id="libp11-kit">
264 <term><filename class="libraryfile">libp11-kit.so</filename></term>
265 <listitem>
266 <para>
267 contains functions used to coordinate initialization and
268 finalization of any PKCS#11 module
269 </para>
270 <indexterm zone="p11-kit libp11-kit">
271 <primary sortas="c-libp11-kit">libp11-kit.so</primary>
272 </indexterm>
273 </listitem>
274 </varlistentry>
275
276 <varlistentry id="p11-kit-proxy">
277 <term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
278 <listitem>
279 <para>
280 is the PKCS#11 proxy module
281 </para>
282 <indexterm zone="p11-kit p11-kit-proxy">
283 <primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
284 </indexterm>
285 </listitem>
286 </varlistentry>
287
288 </variablelist>
289
290 </sect2>
291
292</sect1>
Note: See TracBrowser for help on using the repository browser.