Linux From Scratch (w/Pacman) - Version r12.3-6-wip

Chapter 8. Installing Basic System Software

8.108. P11-kit-0.25.5

8.108.1. Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

Approximate build time: 0.7 SBU
Required disk space: 94 MB

8.108.2. Installation of p11-kit

Create the PKGBUILD for the p11-kit package with the following commands: 

mkdir /sources/p11-kit
cd /sources/p11-kit
cat > PKGBUILD << "REALEOF"
# Maintainer: Linux From Scratch <lfs-dev@lists.linuxfromscratch.org>

pkgname="p11-kit"
pkgver="0.25.5"
pkgrel="1"
pkgdesc="The p11-kit package provides a way to load and enumerate PKCS #11 modules"
arch=('x86'
      'x86_64')
url="https://github.com/p11-glue/p11-kit/"
depends=('glibc'
         'libtasn1'
         'rootfs')
makedepends=('bash'
             'binutils'
             'coreutils'
             'gcc'
             'gettext'
             'make'
             'sed'
             'texinfo')
optdepends=('gtk-doc'
            'libxslt'
            'nss')
source=('https://github.com/p11-glue/p11-kit/releases/download/0.25.5/p11-kit-0.25.5.tar.xz')
md5sums=('e9c5675508fcd8be54aa4c8cb8e794fc')

build(){
  cd "${pkgname}-${pkgver}"
  ./configure --prefix=/usr     \
              --sysconfdir=/etc \
              --with-trust-paths=/etc/pki/anchors
  make
}

check(){
  cd "${pkgname}-${pkgver}"
  make check
}

package(){
  cd "${pkgname}-${pkgver}"
  make DESTDIR="${pkgdir}" install
  ln -sfv ./pkcs11/p11-kit-trust.so "${pkgdir}/usr/lib/libnssckbi.so"

  # Configure the trust-extract-compat script to use make-ca
  cat >> "{pkgdir}/usr/libexec/p11-kit/trust-extract-compat" << "EOF"

# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Update trust stores
/usr/sbin/make-ca -r
EOF
  ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
          "${pkgdir}/usr/bin/update-ca-certificates"
}
REALEOF

Prepare the build directory for the pacman user and build the package: 

chown -R root:pacman .
chmod 2775 .
chmod 664 PKGBUILD
su pacman -c 'makepkg -L --nodeps'

Add the newly created package to the central package repository: 

cp p11-kit-0.25.5-1-$(uname -m).pkg.tar.xz \
   /srv/pacman/repos/LFS/
repo-add /srv/pacman/repos/LFS/LFS.db.tar.xz \
         /srv/pacman/repos/LFS/p11-kit-0.25.5-1-$(uname -m).pkg.tar.xz

Update the local cache and install the p11-kit package: 

pacman -Syu
pacman -S p11-kit --overwrite \* -dd --noconfirm

Finally, copy the source files into the source repository and clean up the build directory: 

mkdir /srv/pacman/source/LFS/p11-kit
cp PKGBUILD /srv/pacman/source/LFS/p11-kit
cd /sources
rm -rf p11-kit

8.108.3. Command Explanations

--with-trust-paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

--with-hash-impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

8.108.4. Contents

Installed Programs: p11-kit, trust, and update-ca-certificates
Installed Libraries: libp11-kit.so and p11-kit-proxy.so
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/pkcs11, /usr/libexec/p11-kit, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions

p11-kit

is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

trust

is a command line tool to examine and modify the shared trust policy store.

update-ca-certificates

is a command line tool to both extract local certificates from an updated anchor store, and regenerate all anchors and certificate stores on the system. This is done unconditionally in LFS using the -r flag to make-ca and should not be used to refresh the upstream certificate store.

libp11-kit.so

contains functions used to coordinate initialization and finalization of any PKCS#11 module.

p11-kit-proxy.so

is the PKCS#11 proxy module.