Red Hat Bugzilla – Bug 919511
p11-kit-trust.so must be able to dynamically load distrust information, separate from certificates
Last modified: 2013-03-19 15:07:05 EDT
we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format.
This missed that we require the ability to include distrust information that is stored without certificates.
This bug asks that to define a file format for such distrust information, with the following capability:
distrust by issuer name and serial number
distrust by issued name and serial number and matching certificate hashsum
We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS.
But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.
Created attachment 707185 [details]
Temporarily hard code distrust v1
Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks.
Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.
Created attachment 707190 [details]
Temporarily hard code distrust v2
Updated to include patch this is dependent on.
Implemented upstream as part of the 0.17.x series of p11-kit.