Red Hat Bugzilla – Full Text Bug Listing
|Summary:||p11-kit-trust.so must be able to dynamically load distrust information, separate from certificates|
|Product:||[Fedora] Fedora||Reporter:||Kai Engert (:kaie) <kengert>|
|Component:||p11-kit||Assignee:||Kalev Lember <kalevlember>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||kalevlember, mclasen, stefw, tmraz|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-19 15:07:05 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Kai Engert (:kaie) 2013-03-08 11:58:48 EST
For https://fedoraproject.org/wiki/Features/SharedSystemCertificates we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format. This missed that we require the ability to include distrust information that is stored without certificates. This bug asks that to define a file format for such distrust information, with the following capability: (a) distrust by issuer name and serial number (b) distrust by issued name and serial number and matching certificate hashsum We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS. But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.
Comment 1 Stef Walter 2013-03-08 14:22:15 EST
Created attachment 707185 [details] Temporarily hard code distrust v1 Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks. Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.
Comment 2 Stef Walter 2013-03-08 14:40:30 EST
Created attachment 707190 [details] Temporarily hard code distrust v2 Updated to include patch this is dependent on.
Comment 3 Stef Walter 2013-03-19 14:30:08 EDT
Implemented upstream as part of the 0.17.x series of p11-kit.