p11-kit-0.25.3
Introduction to p11-kit
The p11-kit package provides a way to load and
enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.
Note
Development versions of BLFS may not build or run
some packages properly if LFS or dependencies have been updated
since the most recent stable versions of the books.
Package Information
p11-kit Dependencies
Recommended
libtasn1-4.19.0
Recommended (runtime)
make-ca-1.13
Optional
GTK-Doc-1.33.2,
libxslt-1.1.39, and
nss-3.94 (runtime)
Installation of p11-kit
Prepare the distribution specific anchor hook:
sed '20,$ d' -i trust/trust-extract-compat &&
cat >> trust/trust-extract-compat << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications
# Update trust stores
/usr/sbin/make-ca -r
EOF
Install p11-kit by running the following
commands:
mkdir p11-build &&
cd p11-build &&
meson setup .. \
--prefix=/usr \
--buildtype=release \
-Dtrust_paths=/etc/pki/anchors &&
ninja
To test the results, issue: LC_ALL=C ninja test.
Now, as the root
user:
ninja install &&
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
/usr/bin/update-ca-certificates
Command Explanations
--buildtype=release
: Specify a buildtype
suitable for stable releases of the package, as the default may
produce unoptimized binaries.
-Dtrust_paths=/etc/pki/anchors
: this switch
sets the location of trusted certificates used by libp11-kit.so.
-Dhash_impl=freebl
: Use this switch if you want to
use the Freebl library from NSS for SHA1 and
MD5 hashing.
-Dgtk_doc=true
: Use this switch if you have installed
GTK-Doc-1.33.2 and libxslt-1.1.39 and wish to
rebuild the documentation and generate manual pages.
Configuring p11-kit
The p11-kit trust module
(/usr/lib/pkcs11/p11-kit-trust.so
) can be used as a
drop-in replacement for /usr/lib/libnssckbi.so
to
transparently make the system CAs available to
NSS aware applications, rather than the static
list provided by /usr/lib/libnssckbi.so
. As the
root
user, execute the
following commands:
ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so
Contents
Installed Programs:
p11-kit, trust, and update-ca-certificates
Installed Libraries:
libp11-kit.so and p11-kit-proxy.so
Installed Directories:
/etc/pkcs11,
/usr/include/p11-kit-1,
/usr/lib/pkcs11,
/usr/libexec/p11-kit,
/usr/share/gtk-doc/html/p11-kit, and
/usr/share/p11-kit
Short Descriptions
p11-kit |
is a command line tool that can be used to perform operations
on PKCS#11 modules configured on the system
|
trust |
is a command line tool to examine and modify the shared trust
policy store
|
update-ca-certificates |
is a command line tool to both extract local certificates from an
updated anchor store, and regenerate all anchors and certificate
stores on the system. This is done unconditionally on BLFS using
the --force and --get
flags to make-ca and should likely not be used
for automated updates
|
libp11-kit.so
|
contains functions used to coordinate initialization and
finalization of any PKCS#11 module
|
p11-kit-proxy.so
|
is the PKCS#11 proxy module
|