Scute: feature request: Support CKA_TRUSTED attribute on X.509 certs

Simon Josefsson simon at josefsson.org
Sun Apr 22 13:45:36 CEST 2007 

Hi!  I'm making GnuTLS support PKCS#11, and use Scute to test it.
I've noticed that while Scute do have the users' CA cert, it is not
marked as trusted via the PKCS#11 interface.  A small PKCS#11 app that
does:

		pValueTemplate[0].type = CKA_ID;
		pValueTemplate[0].pValue = buf;
		pValueTemplate[0].ulValueLen = sizeof(buf);
...
		pValueTemplate[2].type = CKA_CERTIFICATE_CATEGORY;
		pValueTemplate[2].pValue = &cat;
		pValueTemplate[2].ulValueLen = sizeof(cat);

		pValueTemplate[3].type = CKA_TRUSTED;
		pValueTemplate[3].pValue = &trusted;
		pValueTemplate[3].ulValueLen = sizeof(trusted);
...
		rv = C_GetAttributeValue(shSession, ohObject,
					 pValueTemplate, 4);
...
		printf ("buf: %s\n", buf);
		printf ("trust: %d\n", trusted);
		printf ("cat: %d\n", cat);

Will print:

buf: 1532B4BA5A8A7988CA264283591BA3A21C0BCC24
trust: 0
cat: 0
..
buf: BD5F80DE63034EC9E2841E6309552E345C5F226F
trust: 0
cat: 0

The trustlist.txt is set up:

jas at mocca:~$ cat .gnupg/trustlist.txt

# CN=GnuTLS test CA
1532B4BA5A8A7988CA264283591BA3A21C0BCC24 S
jas at mocca:~$

My intention is to use the CKA_TRUSTED, or possibly the
CKA_CERTIFICATE_CATEGORY, attributes to decide whether to treat a
certificate as a trusted certificate by GnuTLS.  Is that a bad idea,
or would implementing those attributes in Scute be a good idea?

Thanks,
Simon

jas at mocca:~$ gpgsm -k
/home/jas/.gnupg/pubring.kbx
----------------------------
Serial number: 4628A165
       Issuer: /CN=GnuTLS test CA
      Subject: /CN=Test Key/O=Simon Josefsson
          aka: (dns-name josefsson.org)
     validity: 2007-04-20 11:17:59 through 2007-10-17 11:18:02
     key type: 1024 bit RSA
    key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested)
  fingerprint: BD:5F:80:DE:63:03:4E:C9:E2:84:1E:63:09:55:2E:34:5C:5F:22:6F

Serial number: 46261D27
       Issuer: /CN=GnuTLS test CA
      Subject: /CN=GnuTLS test CA
     validity: 2007-04-18 13:29:11 through 2008-04-17 13:29:11
     key type: 1024 bit RSA
    key usage: certSign
 chain length: unlimited
  fingerprint: 15:32:B4:BA:5A:8A:79:88:CA:26:42:83:59:1B:A3:A2:1C:0B:CC:24

random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/16384 bytes in 0 blocks
jas at mocca:~$

More information about the Gnupg-devel mailing list