how to make gnutls trust p11-kit's ca-anchors?
nmav at gnutls.org
Sat Aug 3 11:03:14 PDT 2013
On 07/25/2013 02:08 PM, Ludwig Nussel wrote:
> Stef Walter wrote:
>> On 04.07.2013 18:08, Ludwig Nussel wrote:
>>> Stef Walter wrote:
>>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>>> URL by default without every app having to specify it?
>>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>>> Bingo. Thanks.
>>> That's exactly how I would like to have gnutls configured on openSUSE
>>> by default. I'll try your gnutls patch. Thanks!
>> One thing to note is that gnutls only looks up anchors, and doesn't
>> check blacklists. That's fine, it's a good start.
> Ah, gnutls doesn't know about the trusted usages. So I can't use
> pkcs11 as store in the distro yet.
> Doesn't seem to work properly anyways (full debug log attached):
> $ p11tool --list-all-trusted
> Object 0:
> Type: X.509 Certificate
> Label: Entrust.net Premium 2048 Secure Server CA
> ID: 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
> Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.
I don't understand what is the issue there. What is the trust usage,
and what gnutls should have done differently? As I see this object
contains an X.509 certificate that cannot be parsed (I see though that
this code may have issues with data objects).
More information about the p11-glue