Bug 919511

Summary: p11-kit-trust.so must be able to dynamically load distrust information, separate from certificates
Product: [Fedora] Fedora Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: p11-kitAssignee: Kalev Lember <kalevlember>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: kalevlember, mclasen, stefw, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-19 19:07:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 466626    
Attachments:
Description Flags
Temporarily hard code distrust v1
none
Temporarily hard code distrust v2 none

Description Kai Engert (:kaie) (inactive account) 2013-03-08 16:58:48 UTC 
For https://fedoraproject.org/wiki/Features/SharedSystemCertificates
we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format.

This missed that we require the ability to include distrust information that is stored without certificates.

This bug asks that to define a file format for such distrust information, with the following capability:

(a)
distrust by issuer name and serial number

(b)
distrust by issued name and serial number and matching certificate hashsum


We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS.

But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.
Comment 1 Stef Walter 2013-03-08 19:22:15 UTC 
Created attachment 707185 [details]
Temporarily hard code distrust v1

Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks.

Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.
Comment 2 Stef Walter 2013-03-08 19:40:30 UTC 
Created attachment 707190 [details]
Temporarily hard code distrust v2

Updated to include patch this is dependent on.
Comment 3 Stef Walter 2013-03-19 18:30:08 UTC 
Implemented upstream as part of the 0.17.x series of p11-kit.