diff options
| author | Stef Walter <stefw@gnome.org> | 2013-03-15 11:50:24 +0100 |
|---|---|---|
| committer | Stef Walter <stefw@gnome.org> | 2013-03-15 18:18:47 +0100 |
| commit | 7fd74a78fcad81227be3650239669bca5851a1db (patch) | |
| tree | 64f60c20357a7fd34f9aee30ac12dcfa2ebb1109 /doc | |
| parent | 48004b92d4c65080ac71f6a48297abd4d83dfdcb (diff) | |
trust: Support a p11-kit specific serialization format
This is documented in doc/internals/ subdirectory
Add tests for the format as well.
https://bugs.freedesktop.org/show_bug.cgi?id=62156
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/internal/persist-format.txt | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/doc/internal/persist-format.txt b/doc/internal/persist-format.txt new file mode 100644 index 0000000..a0a3194 --- /dev/null +++ b/doc/internal/persist-format.txt @@ -0,0 +1,54 @@ +These are some notes about the p11-kit persistence format + +The format is designed to be somewhat human readable and debuggable, and a bit +transparent but it is also not encouraged to read/write this format from other +applications or tools without first discussing this at the the mailing list: + +p11-glue@lists.freedesktop.org + +The format of the file reflects the PKCS#11 attributes exposed by p11-kit. The +attributes have a one to one mapping with PKCS#11 attributes of similar names. +No assumptions should be made that an attribute does what you think it does +from the label. + +Each object in the file starts with the header '[p11-kit-object-v1]'. After that +point there are names and valeus separated by colons. Whitespace surrounding +the names and values is ignored. + +Boolean values are 'true' and 'false'. Unsigned long attributes are plain +numbers. String/binary attributes are surrounded with quotes and percent +encoded. Object id attributes are in their dotted form. Various PKCS#11 +constants are available. + +PEM blocks can be present within an object, and these contribute certain +PKCS#11 attributes to the object. The attributes that come from PEM blocks +never override those explicitly specified. A 'CERTIFICATE' type PEM block +contributes the 'value', 'class', 'certificate-type', 'subject', 'issuer' +'start-date', 'end-date', 'id', 'certificate-category', 'check-value', +'serial-number' attributes with appropriate values. + +Comments starting with a '#' and blank lines are ignored. + +Only rudimentary checks are done to make sure that the resulting attributes +make sense. This may change in the future, and invalid files will be +unceremoniously rejected. So again use the mailing list if there's a need +to be writing these files at this point: + +p11-glue@lists.freedesktop.org + +Example file: + +[p11-kit-object-v1] +class = certificate +modifiable = true +java-midp-security-domain = 0 +label = "My special label" +id = "%01%02%03go" + +-----BEGIN CERTIFICATE----- +MIIEXDCCA0SgAwIBAgIEOGO5ZjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML +................................................................ +B/L/CNDi3tm/Kq+4h4YhPATKt5Rof8886ZjXOP/swNlQ8C5LWK5Gb9Auw2DaclVy +vUxFnmG6v4SBkgPR0ml8xQ== +-----END CERTIFICATE----- +x-distrusted = true |