Bug 919511 - p11-kit-trust.so must be able to dynamically load distrust information, separate from certificates
p11-kit-trust.so must be able to dynamically load distrust information, separ...
Product: Fedora
Classification: Fedora
Component: p11-kit (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kalev Lember
Fedora Extras Quality Assurance
Depends On:
Blocks: 466626
  Show dependency treegraph
Reported: 2013-03-08 11:58 EST by Kai Engert (:kaie)
Modified: 2013-03-19 15:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-19 15:07:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Temporarily hard code distrust v1 (9.52 KB, patch)
2013-03-08 14:22 EST, Stef Walter
no flags Details | Diff
Temporarily hard code distrust v2 (10.45 KB, patch)
2013-03-08 14:40 EST, Stef Walter
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 62156 None None None Never

  None (edit)
Description Kai Engert (:kaie) 2013-03-08 11:58:48 EST
For https://fedoraproject.org/wiki/Features/SharedSystemCertificates
we defined that the master input for system CA trust shall be in the openssl BEGIN TRUSTED CERTIFICATE file format.

This missed that we require the ability to include distrust information that is stored without certificates.

This bug asks that to define a file format for such distrust information, with the following capability:

distrust by issuer name and serial number

distrust by issued name and serial number and matching certificate hashsum

We immediately require (a) in order to represent the existing distrust list used by Mozilla NSS.

But the NSS distrust module is also capabable of (b), so we require that, too, in order to preserve the current flexibility being offered by the NSS libnssckbi.so module.
Comment 1 Stef Walter 2013-03-08 14:22:15 EST
Created attachment 707185 [details]
Temporarily hard code distrust v1

Kai and I decided that we would temporarily hard code the distrust into p11-kit in rawhide. It is our intention to replace this mechanism with better solution within the next two weeks.

Here is the attahced patch. With this patch we should be producing exactly the same trust information that libnssckbi.so was.
Comment 2 Stef Walter 2013-03-08 14:40:30 EST
Created attachment 707190 [details]
Temporarily hard code distrust v2

Updated to include patch this is dependent on.
Comment 3 Stef Walter 2013-03-19 14:30:08 EDT
Implemented upstream as part of the 0.17.x series of p11-kit.

Note You need to log in before you can comment on or make changes to this bug.