Defining header for stapled certificate extensions

Nikos Mavrogiannopoulos nmav at
Thu Sep 11 09:12:36 PDT 2014

On Thu, 2014-09-11 at 11:09 +0200, Nikos Mavrogiannopoulos wrote:

> I'm at this point where I read an anchor certificate, its
> CKA_PUBLIC_KEY_INFO (to avoid me parsing the certificate), from the
> trust module. Then I construct a FindObjects query with
> CKO_X_CERTIFICATE_EXTENSION, and as CKA_CLASS and the provided
> What should I expect as an answer? My guess would be that there will
> always be a stapled extension for an anchor certificate that indicates
> its purpose (i.e., the ExtendedKeyUsage extension). Is that correct? (I
> don't get any stapled extension as answer, and I'm wondering whether
> there is something wrong in my code or the no extensions answer is
> expected).
> Is there some easy way to add custom stapled (or attached) extensions in
> order to test that code?

I seemed to use a default trust module with no extensions. By switching
to the directories used in Fedora it seems to work fine.


More information about the p11-glue mailing list