Hi Emanuel,
Yes, looking at the last RPM of p11-kit that is made available at IBM AIX ToolBox, I see that p11-kit-0.23.16-1. does not contain the trust command. Same in -devel and -tools.
lsrpm p11-kit-0.23.16-1.aix6.1.ppc.rpm | grep trust
NOTHING
If this is urgent, maybe you can use the p11-kit we deliver at BullFreeware:
http://www.bullfreeware.com/?searching=true&package=p11-kit&from=&to=&libraries=false&exact=false&version=5v0.23.21-2 as an example:
root@castor4## rpm -qa | grep p11
p11-kit-0.23.21-2.ppc
root@castor4## rpm -ql p11-kit-0.23.21-2.ppc | grep trust
/opt/freeware/bin/trust
/opt/freeware/bin/trust_32
/opt/freeware/bin/trust_64
/opt/freeware/lib/pkcs11/p11-kit-trust.so
/opt/freeware/lib64/pkcs11/p11-kit-trust.so
/opt/freeware/libexec/p11-kit/trust-extract-compat
/opt/freeware/share/p11-kit/modules/p11-kit-trust.module
Or 0.23.20-1 :
# lsrpm p11-kit-0.23.20-1.aix6.1.ppc.rpm | grep trust
50138 blocks
-rwxr-xr-x 1 root system 200572 Apr 2 2020 ./opt/freeware/bin/trust
-rwxr-xr-x 1 root system 231244 Apr 2 2020 ./opt/freeware/bin/trust_64
-rwxr-xr-x 1 root system 2675297 Apr 2 2020 ./opt/freeware/lib/pkcs11/p11-kit-trust.a
-rwxr-xr-x 1 root system 1153 Apr 2 2020 ./opt/freeware/libexec/p11-kit/trust-extract-compat
-rw-r--r-- 1 root system 902 Apr 2 2020 ./opt/freeware/share/p11-kit/modules/p11-kit-trust.module
Or 0.23.15-1 :
## lsrpm p11-kit-0.23.15-1.aix6.1.ppc.rpm | grep trust
105431 blocks
-rwxr-xr-x 1 root system 200542 Mar 27 2019 opt/freeware/bin/trust
-rwxr-xr-x 1 root system 234040 Mar 27 2019 opt/freeware/bin/trust_64
-rwxr-xr-x 1 root system 2619099 Mar 27 2019 opt/freeware/lib/pkcs11/p11-kit-trust.a
-rwxr-xr-x 1 root system 1230516 Mar 27 2019 opt/freeware/lib/pkcs11/p11-kit-trust.so
-rwxr-xr-x 1 root system 1369327 Mar 27 2019 opt/freeware/lib64/pkcs11/p11-kit-trust.so
-rwxr-xr-x 1 root system 1153 Mar 27 2019 opt/freeware/libexec/p11-kit/trust-extract-compat
-rw-r--r-- 1 root system 902 Mar 27 2019 opt/freeware/share/p11-kit/modules/p11-kit-trust.module
lrwxrwxrwx 1 root system 28 Mar 27 2019 usr/bin/trust -> ../../opt/freeware/bin/trust
lrwxrwxrwx 1 root system 31 Mar 27 2019 usr/bin/trust_64 -> ../../opt/freeware/bin/trust_64
If not urgent, you may wait for IBM team to provide a new release of 0.23.16-1 with the missing tools.
Regards,
Tony
------------------------------
Tony Reix
------------------------------
Original Message:
Sent: Wed April 28, 2021 06:07 AM
From: Emanuel Reisinger
Subject: update-ca-bundles from ca-certificates not working
Hi,
I'm trying to use ftp -s and have to configure $HOME/.ftpcnf CA_PATH as man says:
...
If the -s flag is specified when you run the ftp command, then the ftp command searches for a local
$HOME/.ftpcnf file in the your home directory. If the file is found, the ftp command uses the following
configuration parameters to set up a TLS session with the server. ...
...
CA_PATH
The CA_PATH parameter provides the path to the certificate authority file, which must be in PEM format.
If specified, the server certificate is verified against the certificate authority. If the digital
certificate that is provided by the server was not signed by the security authority, the TLS session
fails. If not specified, the digital certificate that is provided by the server is not verified against
a certificate revocation list.
I would like use ca-certificates from AIX Toolbox but I can't find the required certificate authority file in PEM format. I assume it should be /opt/freeware/etc/ssl/certs/extracted/pem/tls-ca-bundle.pem, but this file is empty.
I've tried to execute /opt/freeware/bin/update-ca-bundles but it does nothing. Because the used /usr/bin/p11-kit extract command, that is used in update-ca-bundles, has been moved to an separate command trust extract, as man of p11-kit explains. Further, I can't find the trust command. It's not included in p11-kit-tools rpm.
What can I do?
Any help is appreciated.
Best Regards.
------------------------------
Emanuel Reisinger
------------------------------