This file is indexed.

/usr/share/gtk-doc/html/p11-kit/trust.html is in libp11-kit-dev 0.20.7-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>trust</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
<link rel="home" href="index.html" title="p11-kit">
<link rel="up" href="tools.html" title="Manual Pages">
<link rel="prev" href="pkcs11-conf.html" title="pkcs11.conf">
<link rel="next" href="reference.html" title="API Reference">
<meta name="generator" content="GTK-Doc V1.19 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="pkcs11-conf.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="tools.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">p11-kit</th>
<td><a accesskey="n" href="reference.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="refentry">
<a name="trust"></a><div class="titlepage"></div>
<div class="refnamediv"><table width="100%"><tr>
<td valign="top">
<h2><span class="refentrytitle">trust</span></h2>
<p>trust — Tool for operating on the trust policy store</p>
</td>
<td valign="top" align="right"></td>
</tr></table></div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">trust list</code> </p></div>
<div class="cmdsynopsis"><p><code class="command">trust extract</code>   --filter=&lt;what&gt;   --format=&lt;type&gt;  /path/to/destination
	</p></div>
<div class="cmdsynopsis"><p><code class="command">trust anchor</code>  /path/to/certificate.crt
	</p></div>
</div>
<div class="refsect1">
<a name="trust-description"></a><h2>Description</h2>
<p><span class="command"><strong>trust</strong></span> is a command line tool to examine and
	modify the shared trust policy store.</p>
<p>See the various sub commands below. The following global options
	can be used:</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">-v, --verbose</code></span></p></td>
<td><p>Run in verbose mode with debug
			output.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">-q, --quiet</code></span></p></td>
<td><p>Run in quiet mode without warning or
			failure messages.</p></td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="trust-list"></a><h2>List</h2>
<p>List trust policy store items.</p>
<pre class="programlisting">
$ trust list
</pre>
<p>List information about the various items in the trust policy store.
	Each item is listed with it's PKCS#11 URI and some descriptive information.</p>
<p>You can specify the following options to control what to list.</p>
<dt><span class="term"><code class="option">--filter=&lt;what&gt;</code></span></dt>
<dd>
<p>Specifies what certificates to extract. You can specify the following values:
		</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">ca-anchors</code></span></p></td>
<td><p>Certificate anchors</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">trust-policy</code></span></p></td>
<td><p>Anchors and blacklist (default)</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">blacklist</code></span></p></td>
<td><p>Blacklisted certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">certificates</code></span></p></td>
<td><p>All certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">pkcs11:object=xx</code></span></p></td>
<td><p>A PKCS#11 URI to filter with</p></td>
</tr>
</tbody>
</table></div>
<p>
		</p>
<p>If an output format is chosen that cannot support type what has been
		specified by the filter, a message will be printed.</p>
<p>None of the available formats support storage of blacklist entries
		that do not contain a full certificate. Thus any certificates blacklisted by
		their issuer and serial number alone, are not included in the extracted
		blacklist.</p>
</dd>
<dt><span class="term"><code class="option">--purpose=&lt;usage&gt;</code></span></dt>
<dd>
<p>Limit to certificates usable for the given purpose
		You can specify one of the following values:
		</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">server-auth</code></span></p></td>
<td><p>For authenticating servers</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">client-auth</code></span></p></td>
<td><p>For authenticating clients</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">email</code></span></p></td>
<td><p>For email protection</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">code-signing</code></span></p></td>
<td><p>For authenticated signed code</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">1.2.3.4.5...</code></span></p></td>
<td><p>An arbitrary purpose OID</p></td>
</tr>
</tbody>
</table></div>
<p>
		</p>
</dd>
</div>
<div class="refsect1">
<a name="trust-anchor"></a><h2>Anchor</h2>
<p>Store or remove trust anchors.</p>
<pre class="programlisting">
$ trust anchor /path/to/certificate.crt
$ trust anchor --remove /path/to/certificate.crt
$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;object-type=cert"
</pre>
<p>Store or remove trust anchors in the trust policy store. These are
	usually root certificate authorities.</p>
<p>Specify either the <code class="option">--store</code> or <code class="option">--remove</code>
	operations. If no operation is specified then <code class="option">--store</code> is
	assumed.</p>
<p>When storing, one or more certificate files are expected on the
	command line. These are stored as anchors, unless they are already
	present.</p>
<p>When removing an anchor, either specify certificate files or
	PKCS#11 URI's on the command line. Matching anchors will be removed.</p>
<p>It may be that this command needs to be run as root in order to
	modify the system trust policy store, if no user specific store is
	available.</p>
<p>You can specify the following options.</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">--remove</code></span></p></td>
<td><p>Remove one or more anchors from the trust
			policy store. Specify certificate files or PKCS#11 URI's
			on the command line.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">--store</code></span></p></td>
<td><p>Store one or more anchors to the trust
			policy store. Specify certificate files on the command
			line.</p></td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="trust-extract"></a><h2>Extract</h2>
<p>Extract trust policy from the shared trust policy store.</p>
<pre class="programlisting">
$ trust extract --format=x509-directory --filter=ca-anchors /path/to/directory
</pre>
<p>You can specify the following options to control what to extract.
	The <code class="option">--filter</code> and <code class="option">--format</code> arguments
	should be specified. By default this command will not overwrite the
	destination file or directory.</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">--comment</code></span></p></td>
<td><p>Add identifying comments to PEM bundle output files
			before each certificate.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">--filter=&lt;what&gt;</code></span></p></td>
<td>
<p>Specifies what certificates to extract. You can specify the following values:
			</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">ca-anchors</code></span></p></td>
<td><p>Certificate anchors (default)</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">trust-policy</code></span></p></td>
<td><p>Anchors and blacklist</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">blacklist</code></span></p></td>
<td><p>Blacklisted certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">certificates</code></span></p></td>
<td><p>All certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">pkcs11:object=xx</code></span></p></td>
<td><p>A PKCS#11 URI</p></td>
</tr>
</tbody>
</table></div>
<p>
			</p>
<p>If an output format is chosen that cannot support type what has been
			specified by the filter, a message will be printed.</p>
<p>None of the available formats support storage of blacklist entries
			that do not contain a full certificate. Thus any certificates blacklisted by
			their issuer and serial number alone, are not included in the extracted
			blacklist.</p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">--format=&lt;type&gt;</code></span></p></td>
<td>
<p>The format of the destination file or directory.
			You can specify one of the following values:
			</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">x509-file</code></span></p></td>
<td><p>DER X.509 certificate file</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">x509-directory</code></span></p></td>
<td><p>directory of X.509 certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">pem-bundle</code></span></p></td>
<td><p>File containing one or more certificate PEM blocks</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">pem-directory</code></span></p></td>
<td><p>Directory PEM files each containing one certifiacte</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">openssl-bundle</code></span></p></td>
<td><p>OpenSSL specific PEM bundle of certificates</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">openssl-directory</code></span></p></td>
<td><p>Directory of OpenSSL specific PEM files</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">java-cacerts</code></span></p></td>
<td><p>Java keystore 'cacerts' certificate bundle</p></td>
</tr>
</tbody>
</table></div>
<p>
			</p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">--overwrite</code></span></p></td>
<td><p>Overwrite output file or directory.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">--purpose=&lt;usage&gt;</code></span></p></td>
<td>
<p>Limit to certificates usable for the given purpose
			You can specify one of the following values:
			</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">server-auth</code></span></p></td>
<td><p>For authenticating servers</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">client-auth</code></span></p></td>
<td><p>For authenticating clients</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">email</code></span></p></td>
<td><p>For email protection</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">code-signing</code></span></p></td>
<td><p>For authenticated signed code</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">1.2.3.4.5...</code></span></p></td>
<td><p>An arbitrary purpose OID</p></td>
</tr>
</tbody>
</table></div>
<p>
			</p>
</td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="trust-extract-compat"></a><h2>Extract Compat</h2>
<p>Extract compatibility trust certificate bundles.</p>
<pre class="programlisting">
$ trust extract-compat
</pre>
<p>OpenSSL, Java and some versions of GnuTLS cannot currently read
	trust information directly from the trust policy store. This command
	extracts trust information such as certificate anchors for use by
	these libraries.</p>
<p>What this command does, and where it extracts the files is
	distribution or site specific. Packagers or administrators are expected
	customize this command.</p>
</div>
<div class="refsect1">
<a name="trust-bugs"></a><h2>Bugs</h2>
<p>
    Please send bug reports to either the distribution bug tracker
    or the upstream bug tracker at
    <a class="ulink" href="https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&amp;component=p11-kit" target="_top">https://bugs.freedesktop.org/enter_bug.cgi?product=p11-glue&amp;component=p11-kit</a>.
  </p>
</div>
<div class="refsect1">
<a name="trust-see-also"></a><h2>See also</h2>
<span class="simplelist"><span class="citerefentry"><span class="refentrytitle">p11-kit</span>(8)</span></span><p>An explanatory document about storing trust policy:
    <a class="ulink" href="http://p11-glue.freedesktop.org/doc/storing-trust-policy/" target="_top">http://p11-glue.freedesktop.org/doc/storing-trust-policy/</a></p>
<p>
    Further details available in the p11-kit online documentation at
    <a class="ulink" href="http://p11-glue.freedesktop.org/doc/p11-kit/" target="_top">http://p11-glue.freedesktop.org/doc/p11-kit/</a>.
  </p>
</div>
</div>
<div class="footer">
<hr>
          Generated by GTK-Doc V1.19</div>
</body>
</html>