how to make gnutls trust p11-kit's ca-anchors?

Stef Walter stefw at
Sun Aug 4 07:26:12 PDT 2013

On 03.08.2013 20:03, Nikos Mavrogiannopoulos wrote:
> On 07/25/2013 02:08 PM, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 04.07.2013 18:08, Ludwig Nussel wrote:
>>>> Stef Walter wrote:
>>>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>>>> trust
>>>>>>> URL by default without every app having to specify it?
>>>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>>>> Bingo. Thanks.
>>>> That's exactly how I would like to have gnutls configured on openSUSE
>>>> by default. I'll try your gnutls patch. Thanks!
>>> One thing to note is that gnutls only looks up anchors, and doesn't
>>> check blacklists. That's fine, it's a good start.
>> Ah, gnutls doesn't know about the trusted usages. So I can't use
>> pkcs11 as store in the distro yet.
>> Doesn't seem to work properly anyways (full debug log attached):
>> $ p11tool --list-all-trusted
>> Object 0:
>>     URL:
>> pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust;id=%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70;;object-type=cert
>>     Type: X.509 Certificate
>>     Label: Premium 2048 Secure Server CA
>>     ID: 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
>> Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.
>> $
> Hello Ludwig,
>  I don't understand what is the issue there. What is the trust usage,
> and what gnutls should have done differently? As I see this object
> contains an X.509 certificate that cannot be parsed (I see though that
> this code may have issues with data objects).

Although I haven't had a chance to try and reproduce...

My guess would be that the CKA_VALUE for the certificate has a zero
length. This is supported by the PKCS#11 spec. Does gnutls choke on that?



More information about the p11-glue mailing list