Project: Trust Storage Module

This is a PKCS#11 module that exposes read-only storage of system certificates and trust policy. It loads the certificates and trust storage from a directory of files.

Crypto libraries are able to use this as a shared source of certificate authority anchors, black lists, and other locally stored system trust policy.

There is work going on to define a comprehensive representation of this shared trust policy. Once such a solution matures we hope to implement it in this PKCS#11 trust storage module.

Also included is a tool called p11-kit extract-trust that can be used to extract certificates anchors with trust information in various formats for crypto libraries not (or not yet) able to read from this PKCS#11 trust module directly.

A goal is to have minimal dependencies, and be crypto library agnostic so this can be used by any library or app. Accesses information owned by root and configured by a system administrator or distro creator. These PKCS#11 objects are read-only and so don't need to go through a coordinating daemon. Thus we can implement an efficient, reliable lookup for these system certs and other objects, with less moving parts.

Source Repository

Code has been merged into the main p11-kit repository, and is found in the trust/ subdirectory. The extract code is found in the tools subdirectory:

$ git clone https://github.com/p11-glue/p11-kit
$ cd p11-kit

Status

An implementation of the module is available, and you can try it out. A dependency on libtasn1-devel is required to build the PKCS#11 trust module. The extract tool is also implemented.

$ sh autogen.sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64 --enable-debug \
	--with-trust-paths=/etc/pki/ca-trust/source:/usr/share/pki/ca-trust-source
$ make
$ sudo make install
$ sudo mv -v /usr/lib64/libnssckbi.so /opt/libnssckbi.so.orig-nss
$ sudo ln -sv pkcs11/p11-kit-trust.so /usr/lib64/libnssckbi.so

Now place some certificates in the --with-trust-paths location(s). Right now, as input, you can use DER, PEM or OpenSSL style 'trusted certificates'.

For example you can tweak some trust policy bits like so:

$ openssl x509 -addtrust serverAuth -addreject clientAuth \
	-in /path/to/my-ca.pem -out /etc/pki/ca-trust/source/anchors/my-ca.pem

Now you can run apps like Firefox and see the certificates appear in the Certificate manager and are trusted as appropriate. You can use a command like this to see some debug output:

$ P11_KIT_DEBUG=all firefox

Run the extraction tool, and/or customize it:

$ p11-kit extract-trust

Documentation

Contributing