how to make gnutls trust p11-kit's ca-anchors?

Stef Walter stefw at
Thu Jul 4 07:17:07 PDT 2013

On 04.07.2013 15:55, Stef Walter wrote:
> On 04.07.2013 14:57, Ludwig Nussel wrote:
>> I'm currently wiring up p11-kit in openSUSE. One thing I'm currently
>> struggling with is gnutls. The package is built in a way that makes
>> p11-kit appear out of the box, ie p11tool --list-all has all root
>> certificates. How can I make gnutls use them as trust anchors though?
>> Ie what is the correct URL to pass to e.g gnutls-cli --x509cafile?
>> Maybe it doesn't work right away because 'p11tool --list-all-trusted'
>> doesn't list the certs as trusted?
> Hmmm, Nikos might know off hand, but I'll test it and report back.

Okay, tracked the problem down. Somehow I imagined this would take longer...

gnutls uses PKCS#11 for trust like this:

$ gnutls-cli --x509cafile=pkcs11:

However there's a bug, and it says:

    Processed 0 CA certificate(s).

Adding P11_KIT_DEBUG=all shows p11-kit debug output, which includes this:

(p11-kit:25683) sys_C_FindObjectsInit: in: 1314, (3) [ { CKA_CLASS =
CKO_CERTIFICATE }, { CKA_TRUSTED = (4) "\x01\x00\x00\x00" }, {
CKA_CERTIFICATE_CATEGORY = 2 (authority) } ]

In PKCS#11 CKA_TRUSTED is a single byte CK_BBOOL value, and PKCS#11 says
that C_FindObjectsInit should match by byte value. So the above won't
find the CA's properly.

Attached is a patch which fixes this in gnutls. Now we see:

$ gnutls-cli --x509cafile=pkcs11:
Processed 144 CA certificate(s).


(p11-kit:30735) sys_C_FindObjectsInit: in: 16, (3) [ { CKA_CLASS =
CKO_CERTIFICATE }, { CKA_TRUSTED = (1) "\x01" }, {
CKA_CERTIFICATE_CATEGORY = 2 (authority) } ]

Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA trust
URL by default without every app having to specify it?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pkcs11-Use-the-correct-attribute-length-for-CKA_TRUS.patch
Type: text/x-patch
Size: 893 bytes
Desc: not available
URL: <>

More information about the p11-glue mailing list