how to make gnutls trust p11-kit's ca-anchors?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Thu Jul 4 07:22:58 PDT 2013
On 07/04/2013 04:17 PM, Stef Walter wrote:
> (p11-kit:25683) sys_C_FindObjectsInit: in: 1314, (3) [ { CKA_CLASS =
> CKO_CERTIFICATE }, { CKA_TRUSTED = (4) "\x01\x00\x00\x00" }, {
> CKA_CERTIFICATE_CATEGORY = 2 (authority) } ]
> In PKCS#11 CKA_TRUSTED is a single byte CK_BBOOL value, and PKCS#11 says
> that C_FindObjectsInit should match by byte value. So the above won't
> find the CA's properly.
> Attached is a patch which fixes this in gnutls. Now we see:
Thanks applied.
> Nikos, is there a way to build gnutls so that it uses "pkcs11:" CA trust
> URL by default without every app having to specify it?
There is a configure-time option --with-default-trust-store-pkcs11 which
can be used.
regards,
Nikos
More information about the p11-glue
mailing list