how to make gnutls trust p11-kit's ca-anchors?

Nikos Mavrogiannopoulos nmav at
Sat Aug 3 11:03:14 PDT 2013

On 07/25/2013 02:08 PM, Ludwig Nussel wrote:
> Stef Walter wrote:
>> On 04.07.2013 18:08, Ludwig Nussel wrote:
>>> Stef Walter wrote:
>>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>>> trust
>>>>>> URL by default without every app having to specify it?
>>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>>> Bingo. Thanks.
>>> That's exactly how I would like to have gnutls configured on openSUSE
>>> by default. I'll try your gnutls patch. Thanks!
>> One thing to note is that gnutls only looks up anchors, and doesn't
>> check blacklists. That's fine, it's a good start.
> Ah, gnutls doesn't know about the trusted usages. So I can't use
> pkcs11 as store in the distro yet.
> Doesn't seem to work properly anyways (full debug log attached):
> $ p11tool --list-all-trusted
> Object 0:
>     URL:
> pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust;id=%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70;;object-type=cert
>     Type: X.509 Certificate
>     Label: Premium 2048 Secure Server CA
>     ID: 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
> Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.
> $

Hello Ludwig,
 I don't understand what is the issue there. What is the trust usage,
and what gnutls should have done differently? As I see this object
contains an X.509 certificate that cannot be parsed (I see though that
this code may have issues with data objects).


More information about the p11-glue mailing list