Bug 919511 - p11-kit-trust.so must be able to dynamically load distrust information, separate from certificates
Summary: p11-kit-trust.so must be able to dynamically load distrust information, separ...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: p11-kit
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kalev Lember
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 466626
TreeView+ depends on / blocked
 
Reported: 2013-03-08 16:58 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2013-03-19 19:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-19 19:07:05 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Temporarily hard code distrust v1 (9.52 KB, patch)
2013-03-08 19:22 UTC, Stef Walter
no flags Details | Diff
Temporarily hard code distrust v2 (10.45 KB, patch)
2013-03-08 19:40 UTC, Stef Walter
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
FreeDesktop.org 62156 0 None None None Never

Description Kai Engert (:kaie) (inactive account) 2013-03-08 16:58:48 UTC
For https://fedoraproject.org/wiki/Features/SharedSystemCertificates
we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format.

This missed that we require the ability to include distrust information that is stored without certificates.

This bug asks that to define a file format for such distrust information, with the following capability:

(a)
distrust by issuer name and serial number

(b)
distrust by issued name and serial number and matching certificate hashsum


We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS.

But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.

Comment 1 Stef Walter 2013-03-08 19:22:15 UTC
Created attachment 707185 [details]
Temporarily hard code distrust v1

Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks.

Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.

Comment 2 Stef Walter 2013-03-08 19:40:30 UTC
Created attachment 707190 [details]
Temporarily hard code distrust v2

Updated to include patch this is dependent on.

Comment 3 Stef Walter 2013-03-19 18:30:08 UTC
Implemented upstream as part of the 0.17.x series of p11-kit.


Note You need to log in before you can comment on or make changes to this bug.