Previous: Verifying a certificate in the context of TLS session, Up: X.509 certificates [Contents][Index]
Some systems provide a system wide trusted certificate storage accessible using the PKCS #11 API. That is, the trusted certificates are queried and accessed using the PKCS #11 API, and trusted certificate properties, such as purpose, are marked using attached extensions. One example is the p11-kit trust module8.
These special PKCS #11 modules can be used for GnuTLS certificate verification if marked as trust
policy modules, i.e., with trust-policy: yes in the p11-kit module file.
The way to use them is by specifying to the file verification function (e.g., gnutls_certificate_set_x509_trust_file),
a pkcs11 URL, or simply pkcs11: to use all the marked with trust policy modules.
The trust modules of p11-kit assign a purpose to trusted authorities using the extended key usage object identifiers. The common purposes are shown in Table 4.4. Note that typically according to [RFC5280] the extended key usage object identifiers apply to end certificates. Their application to CA certificates is an extension used by the trust modules.
| Purpose | OID | Description |
|---|---|---|
| GNUTLS_KP_TLS_WWW_SERVER | 1.3.6.1.5.5.7.3.1 | The certificate is to be used for TLS WWW authentication. When in a CA certificate, it indicates that the CA is allowed to sign certificates for TLS WWW authentication. |
| GNUTLS_KP_TLS_WWW_CLIENT | 1.3.6.1.5.5.7.3.2 | The certificate is to be used for TLS WWW client authentication. When in a CA certificate, it indicates that the CA is allowed to sign certificates for TLS WWW client authentication. |
| GNUTLS_KP_CODE_SIGNING | 1.3.6.1.5.5.7.3.3 | The certificate is to be used for code signing. When in a CA certificate, it indicates that the CA is allowed to sign certificates for code signing. |
| GNUTLS_KP_EMAIL_PROTECTION | 1.3.6.1.5.5.7.3.4 | The certificate is to be used for email protection. When in a CA certificate, it indicates that the CA is allowed to sign certificates for email users. |
| GNUTLS_KP_OCSP_SIGNING | 1.3.6.1.5.5.7.3.9 | The certificate is to be used for signing OCSP responses. When in a CA certificate, it indicates that the CA is allowed to sign certificates which sign OCSP responses. |
| GNUTLS_KP_ANY | 2.5.29.37.0 | The certificate is to be used for any purpose. When in a CA certificate, it indicates that the CA is allowed to sign any kind of certificates. |
Table 4.4: Key purpose object identifiers.
With such modules, it is recommended to use the verification functions gnutls_x509_trust_list_verify_crt2,
or gnutls_certificate_verify_peers, which allow to explicitly specify the key purpose. The
other verification functions which do not allow setting a purpose, would operate as if
GNUTLS_KP_TLS_WWW_SERVER was requested from the trusted authorities.
Previous: Verifying a certificate in the context of TLS session, Up: X.509 certificates [Contents][Index]