Previous: , Up: X.509 certificates   [Contents][Index]


4.1.1.9 Verifying a certificate using PKCS #11

Some systems provide a system wide trusted certificate storage accessible using the PKCS #11 API. That is, the trusted certificates are queried and accessed using the PKCS #11 API, and trusted certificate properties, such as purpose, are marked using attached extensions. One example is the p11-kit trust module8.

These special PKCS #11 modules can be used for GnuTLS certificate verification if marked as trust policy modules, i.e., with trust-policy: yes in the p11-kit module file. The way to use them is by specifying to the file verification function (e.g., gnutls_certificate_set_x509_trust_file), a pkcs11 URL, or simply pkcs11: to use all the marked with trust policy modules.

The trust modules of p11-kit assign a purpose to trusted authorities using the extended key usage object identifiers. The common purposes are shown in Table 4.4. Note that typically according to [RFC5280] the extended key usage object identifiers apply to end certificates. Their application to CA certificates is an extension used by the trust modules.

PurposeOIDDescription
GNUTLS_KP_TLS_WWW_SERVER1.3.6.1.5.5.7.3.1The certificate is to be used for TLS WWW authentication. When in a CA certificate, it indicates that the CA is allowed to sign certificates for TLS WWW authentication.
GNUTLS_KP_TLS_WWW_CLIENT1.3.6.1.5.5.7.3.2The certificate is to be used for TLS WWW client authentication. When in a CA certificate, it indicates that the CA is allowed to sign certificates for TLS WWW client authentication.
GNUTLS_KP_CODE_SIGNING1.3.6.1.5.5.7.3.3The certificate is to be used for code signing. When in a CA certificate, it indicates that the CA is allowed to sign certificates for code signing.
GNUTLS_KP_EMAIL_PROTECTION1.3.6.1.5.5.7.3.4The certificate is to be used for email protection. When in a CA certificate, it indicates that the CA is allowed to sign certificates for email users.
GNUTLS_KP_OCSP_SIGNING1.3.6.1.5.5.7.3.9The certificate is to be used for signing OCSP responses. When in a CA certificate, it indicates that the CA is allowed to sign certificates which sign OCSP responses.
GNUTLS_KP_ANY2.5.29.37.0The certificate is to be used for any purpose. When in a CA certificate, it indicates that the CA is allowed to sign any kind of certificates.

Table 4.4: Key purpose object identifiers.

With such modules, it is recommended to use the verification functions gnutls_x509_trust_list_verify_crt2, or gnutls_certificate_verify_peers, which allow to explicitly specify the key purpose. The other verification functions which do not allow setting a purpose, would operate as if GNUTLS_KP_TLS_WWW_SERVER was requested from the trusted authorities.


Footnotes

(8)

see https://p11-glue.github.io/p11-glue/trust-module.html.


Previous: , Up: X.509 certificates   [Contents][Index]