Project: Trust Storage Module
This is a PKCS#11 module that exposes read-only storage of system certificates and trust policy. It loads the certificates and trust storage from a directory of files.
Crypto libraries are able to use this as a shared source of certificate authority anchors, black lists, and other locally stored system trust policy.
There is work going on to define a comprehensive representation of this shared trust policy. Once such a solution matures we hope to implement it in this PKCS#11 trust storage module.
Also included is a tool called p11-kit extract-trust that can be used to extract certificates anchors with trust information in various formats for crypto libraries not (or not yet) able to read from this PKCS#11 trust module directly.
A goal is to have minimal dependencies, and be crypto library agnostic so this can be used by any library or app. Accesses information owned by root and configured by a system administrator or distro creator. These PKCS#11 objects are read-only and so don't need to go through a coordinating daemon. Thus we can implement an efficient, reliable lookup for these system certs and other objects, with less moving parts.
Code has been merged into the main p11-kit repository, and is found in the trust/ subdirectory. The extract code is found in the tools subdirectory:
$ git clone https://github.com/p11-glue/p11-kit $ cd p11-kit $ cd trust/
An implementation of the module is available, and you can try it out. A dependency on libtasn1-devel is required to build the PKCS#11 trust module. The extract tool is also implemented.
$ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug \ --with-system-anchors=/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/anchors $ make $ sudo make install $ sudo mv -v /usr/lib64/libnssckbi.so /opt/libnssckbi.so.orig-nss $ sudo ln -sv pkcs11/p11-kit-trust.so /usr/lib64/libnssckbi.so
Now place some certificates in the --with-system-anchors location(s). Right now, as input, you can use DER, PEM or OpenSSL style 'trusted certificates'.
For example you can tweak some trust policy bits like so:
$ openssl x509 -addtrust serverAuth -addreject clientAuth \ -in /path/to/my-ca.pem -out /etc/pki/tls/certs/anchors/my-ca.pem
Now you can run apps like Firefox and see the certificates appear in the Certificate manager and are trusted as appropriate. You can use a command like this to see some debug output:
$ P11_KIT_DEBUG=all firefox
Run the extraction tool, and/or customize it:
$ p11-kit extract-trust