Modifying a trust anchor in one .p11-kit file via another .p11-kit file?

Nikos Mavrogiannopoulos nmav at redhat.com
Thu Mar 1 07:46:51 UTC 2018


On Wed, 2018-02-28 at 10:41 +0000, Jeremy Rand wrote:
> Hi,
> 
> I'm doing a few experiments with p11-kit's trust module.  I'm
> wondering
> if it's possible to modify a trust anchor that exists in a .p11-kit
> file
> via some syntax that I could place in a different .p11-kit file.  In
> particular, I want to apply some extra constraints to a root CA from
> the
> Mozilla CA list, but I don't want to edit the .p11-kit file that
> contains the Mozilla CA list, since that file is managed by Fedora's
> package manager and will presumably get overwritten periodically
> outside
> of my control.  So I figure it would be useful to put those extra
> constraints in a different .p11-kit file that isn't managed by the
> package manager.

Yes. Constraints are applied on the public key. My understanding is
that you can add a .p11-kit file containing the target CA's public key
and the restrictions you want to add.

Something like:
```
[p11-kit-object-v1]
class: x-certificate-extension
label: "Example.com CA restriction"
object-id: 2.5.29.30
value:
"%30%1a%06%03%55%1d%1e%04%13%30%11%a0%0f%30%0d%82%0b%65%78%61%6d%70%6c%
65%2e%63%6f%6d"
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
```

and place it in the p11-kit source directory of your distribution.

regards,
Nikos



More information about the p11-glue mailing list