... redirecting some discussion here to the mailing list with Nikos' permission ...
>On 09.09.2014 12:56, Stef Walter wrote: >> I'm working on defining an installed p11-kit header for stapled >> certificate extensions: >> (In reply to Nikos Mavrogiannopoulos) > I realized that there is no predefined set of extensions in [0]. > Which extensions may be present in a p11-kit trust module, and is > there some way to list them? You can search for all objects with class CKO_X_CERTIFICATE_EXTENSION. For all stapled extensions for a given certificate search for all objects with class CKO_X_CERTIFICATE_EXTENSION *and* the appropriate CKA_PUBLIC_KEY_INFO. > I mean is it only the "Extended Key Usage" No. All manner of stapled certificate extensions are possible. These can be defined as input to the p11-kit-trust module as well. For example ca-certificates in Fedora has added a BasicConstraints extension to one of the CA's that was missing it. The format for this was explicitly unstable until now. However now that we're finishing up work on how stapled certificate extensions are done, the file format should be documented. > that you set (and if yes, which are the available values in it?). As you're aware, inside of an Extended Key Usage, you find OID's for the various usages. The common usages are found here: http://tools.ietf.org/html/rfc5280#page-44 There is no definitive set. Enterprises often add their own. For example Microsoft has an broad set of ExtendedKeyUsage OID's they use in their products and certificates. Cheers, Stef -- s...@thewalter.net http://stef.thewalter.net _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/p11-glue
