how to make gnutls trust p11-kit's ca-anchors?

Nikos Mavrogiannopoulos nmav at
Sun Aug 4 09:23:55 PDT 2013

On 08/04/2013 04:26 PM, Stef Walter wrote:

>> Hello Ludwig,
>>  I don't understand what is the issue there. What is the trust usage,
>> and what gnutls should have done differently? As I see this object
>> contains an X.509 certificate that cannot be parsed (I see though that
>> this code may have issues with data objects).
> Although I haven't had a chance to try and reproduce...
> My guess would be that the CKA_VALUE for the certificate has a zero
> length. This is supported by the PKCS#11 spec. Does gnutls choke on that?

So it seems that this is the issue. p11tool would complain on them as
previously demonstrated (for no particular reason as it wouldn't really
do anything more with the certificate). I've now removed the offending code.


More information about the p11-glue mailing list