linux-from-scratch/glfs
1
0
Fork 0
mirror of https://github.com/Zeckmathederg/glfs.git synced 2025-01-25 07:42:13 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
963d50b62c
glfs/postlfs/security/p11-kit.xml
Pierre Labastie 3f2db3a638 Remove sect1info tags 
They only contain a date tag that is nowhere used.
2022-11-29 08:58:07 +01:00

281 lines
8.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
<!ENTITY p11-kit-download-http "https://github.com/p11-glue/p11-kit/releases/download/&p11-kit-version;/p11-kit-&p11-kit-version;.tar.xz">
<!ENTITY p11-kit-download-ftp " ">
<!ENTITY p11-kit-md5sum "67b2539bdca6b4bedaeecc12864d2796">
<!ENTITY p11-kit-size "820 KB">
<!ENTITY p11-kit-buildsize "44 MB (with tests)">
<!ENTITY p11-kit-time "0.5 SBU (with tests)">
]>
<sect1 id="p11-kit" xreflabel="p11-kit-&p11-kit-version;">
<?dbhtml filename="p11-kit.html"?>
<title>p11-kit-&p11-kit-version;</title>
<indexterm zone="p11-kit">
<primary sortas="a-p11-kit">p11-kit</primary>
</indexterm>
<sect2 role="package">
<title>Introduction to p11-kit</title>
<para>
The <application>p11-kit</application> package provides a way to load and
enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
</para>
&lfs112_checked;
<bridgehead renderas="sect3">Package Information</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>
Download (HTTP): <ulink url="&p11-kit-download-http;"/>
</para>
</listitem>
<listitem>
<para>
Download (FTP): <ulink url="&p11-kit-download-ftp;"/>
</para>
</listitem>
<listitem>
<para>
Download MD5 sum: &p11-kit-md5sum;
</para>
</listitem>
<listitem>
<para>
Download size: &p11-kit-size;
</para>
</listitem>
<listitem>
<para>
Estimated disk space required: &p11-kit-buildsize;
</para>
</listitem>
<listitem>
<para>
Estimated build time: &p11-kit-time;
</para>
</listitem>
</itemizedlist>
<bridgehead renderas="sect3">p11-kit Dependencies</bridgehead>
<!-- There is a check for libsystemd. It seems to install a systemd service
in /usr/lib/systemd/user.-->
<bridgehead renderas="sect4">Recommended</bridgehead>
<para role="recommended">
<xref linkend="libtasn1"/> and
<xref role="runtime" linkend="make-ca"/> (runtime)
</para>
<bridgehead renderas="sect4">Optional</bridgehead>
<para role="optional">
<xref linkend="gtk-doc"/>,
<xref linkend="libxslt"/>, and
<xref role="runtime" linkend="nss"/> (runtime)
</para>
<para condition="html" role="usernotes">User Notes:
<ulink url="&blfs-wiki;/p11-kit"/>
</para>
</sect2>
<sect2 role="installation">
<title>Installation of p11-kit</title>
<para>
Prepare the distribution specific anchor hook:
</para>
<screen><userinput>sed '20,$ d' -i trust/trust-extract-compat &amp;&amp;
cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
<literal># Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications
# Update trust stores
/usr/sbin/make-ca -r</literal>
EOF</userinput></screen>
<para>
Install <application>p11-kit</application> by running the following
commands:
</para>
<screen><userinput>mkdir p11-build &amp;&amp;
cd p11-build &amp;&amp;
meson --prefix=/usr \
--buildtype=release \
-Dtrust_paths=/etc/pki/anchors &amp;&amp;
ninja</userinput></screen>
<para>
To test the results, issue: <command>ninja test</command>.
</para>
<para>
Now, as the <systemitem class="username">root</systemitem> user:
</para>
<screen role="root"><userinput>ninja install &amp;&amp;
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
/usr/bin/update-ca-certificates</userinput></screen>
</sect2>
<sect2 role="commands">
<title>Command Explanations</title>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
href="../../xincludes/meson-buildtype-release.xml"/>
<para>
<parameter>-Dtrust_paths=/etc/pki/anchors</parameter>: this switch
sets the location of trusted certificates used by libp11-kit.so.
</para>
<para>
<option>-Dhash_impl=freebl</option>: Use this switch if you want to
use the Freebl library from <application>NSS</application> for SHA1 and
MD5 hashing.
</para>
<para>
<option>-Dgtk_doc=true</option>: Use this switch if you have installed
<xref linkend="gtk-doc"/> and <xref linkend="libxslt"/> and wish to
rebuild the documentation and generate manual pages.
</para>
</sect2>
<sect2 role="configuration">
<title>Configuring p11-kit</title>
<para>
The <application>p11-kit</application> trust module
(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
transparently make the system CAs available to
<application>NSS</application> aware applications, rather than the static
list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
<systemitem class="username">root</systemitem> user, execute the
following commands:
</para>
<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
</sect2>
<sect2 role="content">
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>
p11-kit, trust, and update-ca-certificates
</seg>
<seg>
libp11-kit.so and p11-kit-proxy.so
</seg>
<seg>
/etc/pkcs11,
/usr/include/p11-kit-1,
/usr/lib/pkcs11,
/usr/libexec/p11-kit,
/usr/share/gtk-doc/html/p11-kit, and
/usr/share/p11-kit
</seg>
</seglistitem>
</segmentedlist>
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
<varlistentry id="p11-kit-prog">
<term><command>p11-kit</command></term>
<listitem>
<para>
is a command line tool that can be used to perform operations
on PKCS#11 modules configured on the system
</para>
<indexterm zone="p11-kit p11-kit-prog">
<primary sortas="b-p11-kit">p11-kit</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="trust">
<term><command>trust</command></term>
<listitem>
<para>
is a command line tool to examine and modify the shared trust
policy store
</para>
<indexterm zone="p11-kit trust">
<primary sortas="b-trust">trust</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="update-ca-certificates">
<term><command>update-ca-certificates</command></term>
<listitem>
<para>
is a command line tool to both extract local certificates from an
updated anchor store, and regenerate all anchors and certificate
stores on the system. This is done unconditionally on BLFS using
the <parameter>--force</parameter> and <parameter>--get</parameter>
flags to <command>make-ca</command> and should likely not be used
for automated updates
</para>
<indexterm zone="p11-kit update-ca-certificates">
<primary sortas="b-update-ca-certificates">update-ca-certificates</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="libp11-kit">
<term><filename class="libraryfile">libp11-kit.so</filename></term>
<listitem>
<para>
contains functions used to coordinate initialization and
finalization of any PKCS#11 module
</para>
<indexterm zone="p11-kit libp11-kit">
<primary sortas="c-libp11-kit">libp11-kit.so</primary>
</indexterm>
</listitem>
</varlistentry>
<varlistentry id="p11-kit-proxy">
<term><filename class="libraryfile">p11-kit-proxy.so</filename></term>
<listitem>
<para>
is the PKCS#11 proxy module
</para>
<indexterm zone="p11-kit p11-kit-proxy">
<primary sortas="c-p11-kit-proxy">p11-kit-proxy.so</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink