Gaming Linux® From Scratch (System V Edition) - Version #3f6b

Chapter 3. Shared Dependencies

p11-kit-0.25.5

Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

[Note]

Note

This may take a while to build. Feel free to do something else while this is building.

p11-kit Dependencies

Required (for Steam-1.0.0.82, otherwise recommended)

libtasn1-4.20.0 and nss-3.110

Installation of p11-kit

Prepare the distribution specific anchor hook: 

sed '20,$ d' -i trust/trust-extract-compat &&

cat >> trust/trust-extract-compat << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Update trust stores
/usr/sbin/make-ca -r
EOF

Install p11-kit by running the following commands: 

mkdir p11-build &&
cd    p11-build &&

meson setup ..            \
      --prefix=/usr       \
      --buildtype=release \
      -D trust_paths=/etc/pki/anchors &&

ninja

To test the results, issue: LC_ALL=C ninja test.

Now, as the root user: 

ninja install &&
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
        /usr/bin/update-ca-certificates

Command Explanations

[Note]

Note

Inspect meson_options.txt for a full list of options.

--buildtype=release: Specify a buildtype suitable for stable releases of the package, as the default may produce unoptimized binaries.

-D trust_paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

-D hash_impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

Configuring p11-kit

Make system CAs available transparently to NSS aware applications by running the following commands as the root user: 

ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so

Contents

Installed Programs: p11-kit, trust, and update-ca-certificates
Installed Libraries: libp11-kit and p11-kit-proxy
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/pkcs11, /usr/libexec/p11-kit, and /usr/share/p11-kit

Short Descriptions

p11-kit

is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system

trust

is a command line tool to examine and modify the shared trust policy store

update-ca-certificates

is a command line tool to both extract local certificates from an updated anchor store, and regenerate all anchors and certificate stores on the system. This is done unconditionally on BLFS using the --force and --get flags to make-ca and should likely not be used for automated updates

libp11-kit

contains functions used to coordinate initialization and finalization of any PKCS#11 module

p11-kit-proxy

is the PKCS#11 proxy module