Maintained by: NLnet Labs

[Unbound-users] Fwd: PKCS#11 trust module implementation

Nikos Mavrogiannopoulos
Sun Dec 23 19:07:32 CET 2012

 Stef Walter has been working on designing a central key store to be
implemented on desktop systems. I was thinking this could be useful to
unbound (and possibly other implementations) to use that storage for
dnssec keys. The original document in [2] is made with certificates
(mail/web) in mind, but if you have any comments on how this could be
extended to accommodate dnssec keys it would be nice to forward them
to the author or me.

best regards,

---------- Forwarded message ----------
From: Stef Walter <stefw at>
Date: Fri, Dec 21, 2012 at 12:05 PM
Subject: PKCS#11 trust module implementation
To: p11-glue at

I've been working an a p11-kit PKCS#11 trust module as a way to share
certificate anchors and black lists between crypto libraries.

I hope that eventually we'll have a comprehensive way represent this
stored system trust policy information. Yesterday I posted a rough
document for how this might be done. It's called 'Sharing Trust Policy
between Crypto Libraries' [1] [2].

However, for this initial implementation things are more modest:

 * Provide a PKCS#11 module that loads certificates, trust and blacklist
   information from a directory.

 * This PKCS#11 module is a drop in replacement to be used with NSS or
   glib-networking, both of which can consume anchors and trust policy
   from PKCS#11. In this way NSS can use system certificate anchors
   stored in a directory rather than hard coded in, or stored in its
   per-application databases.

 * As an interim measure the p11-kit tool will provide a way to extract
   the certificates and trust information from the PKCS#11 module in
   various formats:

   - OpenSSL dirhash format
   - CA PEM bundle of anchors for serverAuth usage (or other usages)
   - Java KeyStore cacerts format

 * No crypto library or application changes are necessary to make use
   of this initial implementation on a system.

Over time I want to help build bridges for GnuTLS, OpenSSL, and Java so
that they can read trust information directly from a PKCS#11 module,
removing the need to extract that information into various formats.

It's assumed that most folks/distros will continue to use the trusted
anchors and black list published on the Mozilla CA Certificate list (but
use of others are certainly possible). System administrators can easy
add certificates trust anchors, and (in the interim after a the extract
tool has been run) have them recognized by all the relevant crypto
libraries and applications.

Obviously, certain applications (especially servers) can continue to use
custom CA lists.

So, here's what's working so far:

 * The code is on the 'trust' branch of the p11-kit repository:
 * The PKCS#11 trust module is complete and works as an NSS drop in
   replacement for lookup of certificate anchors.

And here's how to play with it. The commands may need some tweaking on
different distros. Especially the --with-system-anchors path...

$ # install libtasn1-devel
$ git clone git://
$ cd p11-kit
$ git checkout trust # this stuff is not on master branch yet
$ sh --prefix=/usr --sysconfdir=/etc --libdir=/usr/lib64
$ make
$ sudo make install
$ sudo mv -v /usr/lib64/ /opt/
$ sudo ln -sv pkcs11/ /usr/lib64/

Now place some certificates in the --with-system-anchors location(s).
Right now, as input, you can use DER, PEM or OpenSSL style 'trusted

For example you can tweak some trust policy bits like so:

$ openssl x509 -addtrust serverAuth -addreject clientAuth -in
/path/to/my-ca.pem -out /etc/pki/tls/certs/anchors/my-ca.pem

Now you can run apps like firefox and see the certificates appear in the
Certificate manager and are trusted as appropriate.

You can use a command like this to see some debug output:

$ P11_KIT_DEBUG=all firefox

All in all, this is just the first step towards a comprehensive way to
share stored system trust information between crypto libraries and

I hope to build the extract tools next.

Thanks for reading this far. :)



p11-glue mailing list
p11-glue at