p11-kit trust module on Debian and OpenSUSE

Stef Walter stef at thewalter.net
Wed Jun 12 01:54:01 PDT 2013 

On 10.06.2013 14:09, Nikos Mavrogiannopoulos wrote:
> On Fri, Jun 7, 2013 at 5:31 PM, Stef Walter <stef at thewalter.net> wrote:
>> Hey guys,
>>
>> I've been working to make p11-kit work with the update-ca-certificates
>> script on OpenSUSE and Debian. I think they're pretty much the same, so
>> I hope referring to them together is okay.
>>
>> Goals:
>>  * p11-kit trust module allows NSS, GnuTLS, OpenSSL and Java to share
>>    the same trust source.
>>  * Right now NSS and GnuTLS load certificate anchors directly from
>>    the module. NSS even loads blacklists and so on.
> 
> btw. I am curious how do you load the blacklist? I have implemented CA
> black lists to load certificates in android systems (using
> gnutls_x509_trust_list_remove_trust_file). Would that be sufficient,
> or another high level function is needed?

I'm working on updating the 'storing trust' document we discussed
earlier this year on the mailing list. Hoping to have everyone's
suggestions and changes incorporated later this week.

But here's how things stand:

The blacklist is a dataset that contains items with either:
 - subjectPublicKeyInfo
 - issuer+serialNumber

So to check if a certificate is on the blacklist, you would need to ask
the blacklist for every certificate in your chain (including anchors,
since I believe gnutls treats anchors as certificates) if the
certificate is present by doing two lookups:

 1. By the subjectPublicKeyInfo of the certificate
 2. By the issuer and serialNumber of the certificate.

I wish we could avoid the second step, but after the discussion we had
earlier it shows that we cannot, because organizations like
certificates at mozilla.org receive and publish some of their blacklisted
certificates with only issuer+serialNumber.

Alternatively you can load the entire blacklist into gnutls.

How do you do these lookups? Well again, I hope to shed more light on
that in our working document, including outline an additional proposed C
API for doing so.

As it stands, you can lookup/load the blacklisted from the p11-kit trust
module by PKCS#11 by looking up the following:

   CKA_CLASS = CKO_CERTIFICATE
   CKA_X_DISTRUSTED = CK_TRUE
   CKA_ISSUER = der-encoding-of-issuer
   CKA_SERIAL_NUMBER = der-encoding-of-serialNumber

and:

   CKA_CLASS = CKO_CERTIFICATE
   CKA_X_DISTRUSTED = CK_TRUE
   CKA_VALUE = der-encoding-of-certificate

You'll note that the second lookup above isn't using the
subjectPublicKeyInfo. The p11-kit-trust module will gain this capability
soon, once it's been documented in our working document on the subject.
But the above certificate based lookup will continue to work.

I hope much of this will become clearer shortly, and I don't blaim you
for waiting a short while till the dust settles. But if you want to jump
in now, the above should remain stable.

Cheers,

Stef

-- 

stef at thewalter.net
http://stef.thewalter.net

More information about the p11-glue mailing list