| Server IP : 79.136.114.73 / Your IP : 52.15.60.240 Web Server : Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.29 OpenSSL/1.0.1f System : Linux b8009 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64 User : www-data ( 33) PHP Version : 5.5.9-1ubuntu4.29 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, MySQL : ON | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/share/gtk-doc/html/p11-kit/ |
Upload File : |
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Trust Policy Module</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="index.html" title="p11-kit">
<link rel="up" href="index.html" title="p11-kit">
<link rel="prev" href="sharing.html" title="Proxy Module">
<link rel="next" href="trust-nss.html" title="Using the Trust Policy Module with NSS">
<meta name="generator" content="GTK-Doc V1.19 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="sharing.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td> </td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">p11-kit</th>
<td><a accesskey="n" href="trust-nss.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="chapter">
<div class="titlepage"><div><div><h1 class="title">
<a name="trust-module"></a>Trust Policy Module</h1></div></div></div>
<div class="toc"><dl class="toc">
<dt><span class="section"><a href="trust-module.html#trust-files">Paths loaded by the Module</a></span></dt>
<dt><span class="section"><a href="trust-nss.html">Using the Trust Policy Module with NSS</a></span></dt>
<dt><span class="section"><a href="trust-glib-networking.html">Using the Trust Policy Module with glib-networking</a></span></dt>
<dt><span class="section"><a href="trust-disable.html">Disabling the Trust Policy Module</a></span></dt>
</dl></div>
<p>The trust module provides system certificate anchors, blacklists
and other trust policy to crypto libraries applications. This
information is exposed as PKCS#11 objects.</p>
<p>You can use the <a class="link" href="trust.html" title="trust">trust</a> command line
tool to examine and modify the trust policy store.</p>
<div class="section">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="trust-files"></a>Paths loaded by the Module</h2></div></div></div>
<p>The trust module loads certificates and trust policy information
from preconfigured paths and allows them to be looked up via PKCS#11.
The input paths can be determined with using the following command:</p>
<pre class="programlisting">
$ pkg-config --variable p11_trust_paths p11-kit-1
/usr/share/p11-kit/trust:/etc/pki/trust
</pre>
<p>Files in the following formats are supported for loading by the
trust policy module:</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term">X.509 certificates</span></p></td>
<td><p>X.509 certificates in raw DER format. Does not
automatically contain trust policy information.</p></td>
</tr>
<tr>
<td><p><span class="term">PEM certificates</span></p></td>
<td><p>X.509 certificates in PEM format. These have a
<code class="literal">BEGIN CERTIFICATE</code> header. This file does not
automatically contain trust policy information.</p></td>
</tr>
<tr>
<td><p><span class="term">OpenSSL trust certificates</span></p></td>
<td><p>OpenSSL specific certificates in PEM format
that contain trust information. These have a
<code class="literal">BEGIN TRUSTED CERTIFICATE</code> PEM header. Both
trust anchor and blacklist information can be loaded
from these files.</p></td>
</tr>
</tbody>
</table></div>
<p>If the input path is a file, then it is loaded. Certificate(s) in the
file are automatically treated as anchors, unless they contain alternate
trust policy information.</p>
<p>If the input path is a directory, files inside that directory are
parsed and loaded. If the file contains trust policy information (such as the
OpenSSL trust certificates) then it will be respected. Files without trust policy
information are not automatically marked as an anchor or blacklisted.</p>
<p>In addition two optional subdirectories of the input path are loaded. Files
placed in the <code class="literal">anchors/</code> subdirectory become trust anchors
when they do not contain trust policy information. Files placed in the
<code class="literal">blacklist/</code> subdirectory are blacklisted whether they
contain trust information or not.</p>
<p>The first input path becomes the first PKCS#11 token of the trust
module, and has the highest priority when callers search for trust
policy information.</p>
</div>
</div>
<div class="footer">
<hr>
Generated by GTK-Doc V1.19</div>
</body>
</html>