[gnutls-devel] GnuTLS | trust-store test not finding certificates when using p11-kit as default trust store (#1639)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Jan 4 15:15:33 CET 2025 


Maxim Cournoyer created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1639



Hello!

I'm trying to debug why gnutls (as seen in the trust-store test) doesn't find p11-kit provided certificates when configured with `--with-default-trust-store-pkcs11=pkcs11:`.

There is no /etc/ssl/* directory on the system, and p11-kit is configured to have the nss provided certificates on its trust_paths (`-Dtrust_paths=/gnu/store/bxwlna9pk9f4rh161a9hjbxrabd3ayyh-nss-certs-3.99/etc/ssl/certs`), and something like `p11-kit list-objects pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=certs` confirms it has access to these certificates:

```
p11-kit list-objects pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=certs
Object: #0
    class: nss-builtin-root-list
    label: Trust Anchor Roots
    flags:
          token
Object: #1
    class: nss-builtin-root-list
    label: Trust Anchor Roots
    flags:
          token
Object: #2
    class: nss-builtin-root-list
    label: Trust Anchor Roots
    flags:
          token
Object: #3
    class: nss-trust
    label: Atos TrustedRoot 2011
    id: a7:a5:06:b1:2c:a6:09:60:ee:d1:97:e9:70:ae:bc:3b:19:6c:db:21
    flags:
          token
Object: #4
    uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=certs;id=%73%7A%6B%96%DB%42%07%8B%52%66%C2%64%32%17%FE%E0%67%90%2E%AD;object=DigiCert%20SMIME%20ECC%20P384%20Root%20G5;type=cert
    class: certificate
    certificate-type: x-509
    certificate-category: authority
    label: DigiCert SMIME ECC P384 Root G5
    id: 73:7a:6b:96:db:42:07:8b:52:66:c2:64:32:17:fe:e0:67:90:2e:ad
    start-date: 2021.01.15
    end-date: 2046.01.14
    flags:
          token
Object: #5
    class: nss-trust
    label: DigiCert SMIME ECC P384 Root G5
    id: 73:7a:6b:96:db:42:07:8b:52:66:c2:64:32:17:fe:e0:67:90:2e:ad
    flags:
          token
Object: #6
    uri: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=certs;id=%35%0F%C8%36%63%5E%E2%A3%EC%F9%3B%66%15%CE%51%52%E3%91%9A%3D;object=OISTE%20WISeKey%20Global%20Root%20GB%20CA;type=cert
    class: certificate
    certificate-type: x-509
    certificate-category: authority
    label: OISTE WISeKey Global Root GB CA
    id: 35:0f:c8:36:63:5e:e2:a3:ec:f9:3b:66:15:ce:51:52:e3:91:9a:3d
    start-date: 2014.12.01
    end-date: 2039.12.01
    flags:
          token
[...]
```

Now the problem is that running the `tests/trust-store` test in that environment produces:

```
doit:63: no certificates were found in system trust store!
```

It seems it doesn't consider the p11-kit certs, although my reading of the code is that it should.  Any ideas?

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1639
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250104/c3166b27/attachment-0001.html>

More information about the Gnutls-devel mailing list