For https://fedoraproject.org/wiki/Features/SharedSystemCertificates we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format. This missed that we require the ability to include distrust information that is stored without certificates. This bug asks that to define a file format for such distrust information, with the following capability: (a) distrust by issuer name and serial number (b) distrust by issued name and serial number and matching certificate hashsum We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS. But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.
Created attachment 707185 [details] Temporarily hard code distrust v1 Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks. Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.
Created attachment 707190 [details] Temporarily hard code distrust v2 Updated to include patch this is dependent on.
Implemented upstream as part of the 0.17.x series of p11-kit.