Defining header for stapled certificate extensions
Stef Walter
stefw at redhat.com
Fri Sep 12 03:52:15 PDT 2014
On 11.09.2014 18:12, Nikos Mavrogiannopoulos wrote:
> On Thu, 2014-09-11 at 11:09 +0200, Nikos Mavrogiannopoulos wrote:
>
>> I'm at this point where I read an anchor certificate, its
>> CKA_PUBLIC_KEY_INFO (to avoid me parsing the certificate), from the
>> trust module. Then I construct a FindObjects query with
>> CKO_X_CERTIFICATE_EXTENSION, and as CKA_CLASS and the provided
>> CKA_PUBLIC_KEY_INFO.
>>
>> What should I expect as an answer? My guess would be that there will
>> always be a stapled extension for an anchor certificate that indicates
>> its purpose (i.e., the ExtendedKeyUsage extension). Is that correct? (I
>> don't get any stapled extension as answer, and I'm wondering whether
>> there is something wrong in my code or the no extensions answer is
>> expected).
>> Is there some easy way to add custom stapled (or attached) extensions in
>> order to test that code?
>
> I seemed to use a default trust module with no extensions. By switching
> to the directories used in Fedora it seems to work fine.
Yes. For the record on fedora this ./configure (or ./autogen.sh)
argument does the trick:
--with-trust-paths=/etc/pki/ca-trust/source:/usr/share/pki/ca-trust-source
Cheers,
Stef
More information about the p11-glue
mailing list