Beyond Linux® From Scratch (systemd edition) - Version 8.4

Chapter 4. Security

p11-kit-0.23.15

Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

This package is known to build and work properly using an LFS-8.4 platform.

Package Information

p11-kit Dependencies

Recommended

libtasn1-4.13

Optional

make-ca-1.2 (runtime), NSS-3.42.1 (runtime), GTK-Doc-1.29 and libxslt-1.1.33

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit

Installation of p11-kit

Prepare the distribution specific anchor hook: 

sed '20,$ d' -i trust/trust-extract-compat.in &&
cat >> trust/trust-extract-compat.in << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g
EOF

Install p11-kit by running the following commands: 

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-trust-paths=/etc/pki/anchors &&
make

To test the results, issue: make check.

Now, as the root user: 

make install &&
ln -s /usr/libexec/p11-kit/trust-extract-compat \
      /usr/bin/update-ca-certificates

Command Explanations

--with-trust-paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

--with-hash-impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

--enable-doc: Use this switch if you have installed GTK-Doc-1.29 and libxslt-1.1.33 and wish to rebuild the documentation and generate manual pages.

Configuring p11-kit

The p11-kit trust module (/usr/lib/pkcs11/p11-kit-trust.so) can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the system CAs available to NSS aware applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands: 

ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so

Contents

Installed Programs: p11-kit and trust
Installed Libraries: libp11-kit.so and p11-kit-proxy.so
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/{p11-kit,pkcs11}, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions

p11-kit

is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

trust

is a command line tool to examine and modify the shared trust policy store.

update-ca-certificates

is a command line tool to both extract local certificates from an upadated anchor store, and regenerate all anchors and certificate stores on the system.

libp11-kit.so

contains functions used to coordinate initialization and finalization of any PKCS#11 module.

p11-kit-proxy.so

is the PKCS#11 proxy module.

Last updated on 2019-02-24 13:00:49 -0800