how to make gnutls trust p11-kit's ca-anchors?
stefw at redhat.com
Sun Aug 4 07:26:12 PDT 2013
On 03.08.2013 20:03, Nikos Mavrogiannopoulos wrote:
> On 07/25/2013 02:08 PM, Ludwig Nussel wrote:
>> Stef Walter wrote:
>>> On 04.07.2013 18:08, Ludwig Nussel wrote:
>>>> Stef Walter wrote:
>>>>> On 04.07.2013 16:19, David Woodhouse wrote:
>>>>>> On Thu, 2013-07-04 at 16:17 +0200, Stef Walter wrote:
>>>>>>> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA
>>>>>>> URL by default without every app having to specify it?
>>>>>> configure --with-default-trust-store-pkcs11=pkcs11: ?
>>>>> Bingo. Thanks.
>>>> That's exactly how I would like to have gnutls configured on openSUSE
>>>> by default. I'll try your gnutls patch. Thanks!
>>> One thing to note is that gnutls only looks up anchors, and doesn't
>>> check blacklists. That's fine, it's a good start.
>> Ah, gnutls doesn't know about the trusted usages. So I can't use
>> pkcs11 as store in the distro yet.
>> Doesn't seem to work properly anyways (full debug log attached):
>> $ p11tool --list-all-trusted
>> Object 0:
>> Type: X.509 Certificate
>> Label: Entrust.net Premium 2048 Secure Server CA
>> ID: 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
>> Error in pkcs11_list:191: ASN1 parser: Error in DER parsing.
> Hello Ludwig,
> I don't understand what is the issue there. What is the trust usage,
> and what gnutls should have done differently? As I see this object
> contains an X.509 certificate that cannot be parsed (I see though that
> this code may have issues with data objects).
Although I haven't had a chance to try and reproduce...
My guess would be that the CKA_VALUE for the certificate has a zero
length. This is supported by the PKCS#11 spec. Does gnutls choke on that?
More information about the p11-glue