On Wed, 2018-02-28 at 10:41 +0000, Jeremy Rand wrote: > Hi, > > I'm doing a few experiments with p11-kit's trust module. I'm > wondering > if it's possible to modify a trust anchor that exists in a .p11-kit > file > via some syntax that I could place in a different .p11-kit file. In > particular, I want to apply some extra constraints to a root CA from > the > Mozilla CA list, but I don't want to edit the .p11-kit file that > contains the Mozilla CA list, since that file is managed by Fedora's > package manager and will presumably get overwritten periodically > outside > of my control. So I figure it would be useful to put those extra > constraints in a different .p11-kit file that isn't managed by the > package manager.
Yes. Constraints are applied on the public key. My understanding is that you can add a .p11-kit file containing the target CA's public key and the restrictions you want to add. Something like: ``` [p11-kit-object-v1] class: x-certificate-extension label: "Example.com CA restriction" object-id: 2.5.29.30 value: "%30%1a%06%03%55%1d%1e%04%13%30%11%a0%0f%30%0d%82%0b%65%78%61%6d%70%6c% 65%2e%63%6f%6d" -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- ``` and place it in the p11-kit source directory of your distribution. regards, Nikos _______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
