On Thu, Sep 18, 2014 at 2:10 PM, Nikos Mavrogiannopoulos <[email protected]> wrote: > Hello, > I've just released gnutls 3.3.8. This is a bug-fix release on > the next-stable branch. An important aspect of this release is that it > completes support for the p11-kit trust module, allowing gnutls to > utilize attached extensions in the system CA certificates (e.g. to > restrict a CA certificate to certain domain names, or for a specific > scope). I'll provide details on that feature on a follow up e-mail.
Ok. It seems I can now get back to that. P11-kit provides a trust module that itself provides a PKCS #11 API to verify certificates using some predefined trusted anchors. It provides a documented API that gnutls uses (and as far as I understand an undocumented API that NSS uses). In any case let's suppose you have p11-kit configured, say with --with-trust-paths=/usr/share/pki/ca-trust-source and you have the "normal" bundle of CAs there. Then a trust module needs to be marked as such using a .conf file (e.g., in /etc/pkcs11/modules) with the contents: ==== module: p11-kit-trust.so priority: 1 trust-policy: yes ==== I'll give an example of the possibility of adding restrictions to the a CAs in the bundle. E.g., let's change the scope of amazon.com's CA, to prevent it from signing TLS certificates. Before adding any restrictions let's ensure that connecting to our target site works. $ gnutls-cli --x509cafile "pkcs11:" www.amazon.com if it doesn't there is something wrong with the p11-kit setup. Then let's create /usr/share/pki/ca-trust-source/amazon.p11-kit with the following contents: [p11-kit-object-v1] class: x-certificate-extension label: "My label" # The full URL encoded DER SubjectPublicKeyInfo SEQUENCE public-key-info: "%30%82%01%22%30%0d%06%09%2a%86%48%86%f7%0d%01%01%01%05%00%03%82%01%0f%00%30%82%01%0a%02%82%01%01%00%af%24%08%08%29%7a%35%9e%60%0c%aa%e7%4b%3b%4e%dc%7c%bc%3c%45%1c%bb%2b%e0%fe%29%02%f9%57%08%a3%64%85%15%27%f5%f1%ad%c8%31%89%5d%22%e8%2a%aa%a6%42%b3%8f%f8%b9%55%b7%b1%b7%4b%b3%fe%8f%7e%07%57%ec%ef%43%db%66%62%15%61%cf%60%0d%a4%d8%de%f8%e0%c3%62%08%3d%54%13%eb%49%ca%59%54%85%26%e5%2b%8f%1b%9f%eb%f5%a1%91%c2%33%49%d8%43%63%6a%52%4b%d2%8f%e8%70%51%4d%d1%89%69%7b%c7%70%f6%b3%dc%12%74%db%7b%5d%4b%56%d3%96%bf%15%77%a1%b0%f4%a2%25%f2%af%1c%92%67%18%e5%f4%06%04%ef%90%b9%e4%00%e4%dd%3a%b5%19%ff%02%ba%f4%3c%ee%e0%8b%eb%37%8b%ec%f4%d7%ac%f2%f6%f0%3d%af%dd%75%91%33%19%1d%1c%40%cb%74%24%19%21%93%d9%14%fe%ac%2a%52%c7%8f%d5%04%49%e4%8d%63%47%88%3c%69%83%cb%fe%47%bd%2b%7e%4f%c5%95%ae%0e%9d%d4%d1%43%c0%67%73%e3%14%08%7e%e5%3f%9f%73%b8%33%0a%cf%5d%3f%34%87%96%8a%ee%53%e8%25%15%02%03%01%00%01" object-id: 2.5.29.37 value: "%30%16%06%03%55%1d%25%01%01%ff%04%0c%30%0a%06%08%2b%06%01%05%05%07%03%09" That changes the purpose of the amazon CA to OCSP signing. The CA is identified from the public-key-info (which is a HEX encoding of the subjectPublicKeyInfo of that CA's key), and the object-id and value are RFC5280 certificate extensions. When that file is in place using the gnutls-cli command above should fail. Other restrictions can be added, potentially all restrictions that can be expressed with extensions used by gnutls, e.g., restricting the host names a CA can sign for etc. Unfortunately the tools required to make these p11-kit files pretty much don't exist. You'll have to mess with some frob- examples or help Stef Walter who maintains p11-kit to make them happen. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
