The p11-kit package provides a way
to load and enumerate PKCS #11 (a Cryptographic Token Interface
Standard) modules.
Approximate build time:
0.6 SBU (with tests)
Required disk space:
106 MB (with tests)
p11-kit Dependencies
Recommended
Section 9.18,
“libtasn1-4.21.0”
Recommended (runtime)
Section 9.20, “make-ca-1.16.1”
9.19.1. Installation of p11-kit
Prepare the distribution specific anchor hook:
sed '20,$ d' -i trust/trust-extract-compat
cat >> trust/trust-extract-compat << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications
# Update trust stores
/usr/sbin/make-ca -r
EOF
Prepare p11-kit by running the
following commands:
meson setup p11-build \
--prefix=/usr \
--buildtype=release \
-D trust_paths=/etc/pki/anchors
Compile the package:
ninja -C p11-build
To test the results, issue:
ninja -C p11-build test
Install the package:
ninja -C p11-build install
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
/usr/bin/update-ca-certificates
9.19.2. Command Explanations
--buildtype=release:
Specify a buildtype suitable for stable releases of the package, as
the default may produce unoptimized binaries.
-D
trust_paths=/etc/pki/anchors: this switch sets the
location of trusted certificates used by libp11-kit.so.
-D hash_impl=freebl: Use this switch if
you want to use the Freebl library from NSS for SHA1 and MD5 hashing.
9.19.3. Configuring p11-kit
The p11-kit trust module
(/usr/lib/pkcs11/p11-kit-trust.so)
can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the
system CAs available to NSS aware
applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands:
ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
9.19.4. Contents
Installed Programs:
p11-kit, trust, and
update-ca-certificates
Installed Libraries:
libp11-kit.so and p11-kit-proxy.so
Installed Directories:
/etc/pkcs11, /usr/include/p11-kit-1,
/usr/lib/pkcs11, /usr/libexec/p11-kit,
/usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit
Short Descriptions
|
p11-kit
|
is a command line tool that can be used to perform
operations on PKCS#11 modules configured on the system
|
|
trust
|
is a command line tool to examine and modify the shared
trust policy store
|
|
update-ca-certificates
|
is a command line tool to both extract local certificates
from an updated anchor store, and regenerate all anchors
and certificate stores on the system. This is done
unconditionally on BLFS using the --force and --get flags to make-ca and should
likely not be used for automated updates
|
|
libp11-kit.so
|
contains functions used to coordinate initialization and
finalization of any PKCS#11 module
|
|
p11-kit-proxy.so
|
is the PKCS#11 proxy module
|