how to make gnutls trust p11-kit's ca-anchors?

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jul 4 07:22:58 PDT 2013


On 07/04/2013 04:17 PM, Stef Walter wrote:

> (p11-kit:25683) sys_C_FindObjectsInit: in: 1314, (3) [ { CKA_CLASS =
> CKO_CERTIFICATE }, { CKA_TRUSTED = (4) "\x01\x00\x00\x00" }, {
> CKA_CERTIFICATE_CATEGORY = 2 (authority) } ]
> In PKCS#11 CKA_TRUSTED is a single byte CK_BBOOL value, and PKCS#11 says
> that C_FindObjectsInit should match by byte value. So the above won't
> find the CA's properly.
> Attached is a patch which fixes this in gnutls. Now we see:

Thanks applied.

> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA trust
> URL by default without every app having to specify it?

There is a configure-time option --with-default-trust-store-pkcs11 which
can be used.

regards,
Nikos



More information about the p11-glue mailing list