[gnutls-devel] gnutls 3.3.8

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Sep 18 20:00:33 CEST 2014

On Thu, Sep 18, 2014 at 2:10 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Hello,
>  I've just released gnutls 3.3.8. This is a bug-fix release on
> the next-stable branch. An important aspect of this release is that it
> completes support for the p11-kit trust module, allowing gnutls to
> utilize attached extensions in the system CA certificates (e.g. to
> restrict a CA certificate to certain domain names, or for a specific
> scope). I'll provide details on that feature on a follow up e-mail.

Ok. It seems I can now get back to that. P11-kit provides a trust
module that itself provides a PKCS #11 API to verify certificates
using some predefined trusted anchors. It provides a documented API
that gnutls uses (and as far as I understand an undocumented API that
NSS uses). In any case let's suppose you have p11-kit configured, say
with --with-trust-paths=/usr/share/pki/ca-trust-source and you have
the "normal" bundle of CAs there. Then a trust module needs to be
marked as such using a .conf file (e.g., in /etc/pkcs11/modules) with
the contents:
module: p11-kit-trust.so
priority: 1
trust-policy: yes

I'll give an example of the possibility of adding restrictions to the
a CAs in the bundle. E.g., let's change the scope of amazon.com's CA,
to prevent it from signing TLS certificates.
Before adding any restrictions let's ensure that connecting to our
target site works.
$ gnutls-cli --x509cafile "pkcs11:" www.amazon.com

if it doesn't there is something wrong with the p11-kit setup.

Then let's create /usr/share/pki/ca-trust-source/amazon.p11-kit
with the following contents:

class: x-certificate-extension
label: "My label"
# The full URL encoded DER SubjectPublicKeyInfo SEQUENCE
value: "%30%16%06%03%55%1d%25%01%01%ff%04%0c%30%0a%06%08%2b%06%01%05%05%07%03%09"

That changes the purpose of the amazon CA to OCSP signing. The CA is
identified from the public-key-info (which is a HEX encoding of the
subjectPublicKeyInfo of that CA's key), and the object-id and value
are RFC5280 certificate extensions.

When that file is in place using the gnutls-cli command above should fail.

Other restrictions can be added, potentially all restrictions that can
be expressed with extensions used by gnutls, e.g., restricting the
host names a CA can sign for etc.
Unfortunately the tools required to make these p11-kit files pretty
much don't exist. You'll have to mess with some frob- examples or help
Stef Walter who maintains p11-kit to make them happen.


More information about the Gnutls-devel mailing list