[rs-commit] r38 - /redwax-tool/trunk/redwax_p11kit.c
Graham Leggett
minfrin at redwax.eu
Fri Nov 19 12:43:06 CET 2021
On 18 Nov 2021, at 15:47, Dirk-Willem van Gulik via rs-commit <rs-commit at redwax.eu> wrote:
> On 18 Nov 2021, at 14:13, rs-commit--- via rs-commit <rs-commit at redwax.eu> wrote:
>
>> Root certs are promoted to trusted.
>
> That works in case of cross-signing and similar specials as well ? Or can you somehow specify a root that is not self singed by config ?
I need to work out how to specify “trusted” certs separate from “root” (self signed) certs. Right now, anything that’s a PEM “TRUSTED CERTIFICATE” is trusted, and all other self signed certs are just roots.
This will affect the "—filter verify" option, which does a full X509_verify_cert(), only allowing certs (and chains) through that pass.
The "—filter search” option links up certs by running a X509_check_issued() against the certs, and will return everything it finds ignoring trusts, purposes, etc.
With the addition of pkcs11, is there a mechanism to indicate a trusted cert, as opposed to just a cert? The definition of CKA_TRUSTED is very vague, I am interpreting it right now as meaning the same as “TRUSTED CERTIFICATE”, but haven't found anything concrete to confirm this.
Regards,
Graham
—
More information about the rs-commit
mailing list