'correspondence between TRUSTED CERTIFICATE and TrustAnchorInfo
OpenSSL supports certificates with auxiliary trust/distrust information stored with the PEM label "TRUSTED CERTIFICATE". Other projects like p11-kit seem to have at least partial compatibility with this format, I think. The auxiliary information seems to be defined by the following ASN.1 (inferred from openssl/crypto/x509/x_x509a.c):
X509Aux ::= SEQUENCE {
trust SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, -- EKUs
reject [0] IMPLICIT SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, -- EKUs
alias UTF8String OPTIONAL,
keyid OCTET STRING OPTIONAL,
other [1] IMPLICIT SEQUENCE OF AlgorithmIdentifier OPTIONAL
}
Question 1: Is there a document that defines this format and the meanings and uses of these fields?
RFC 5914 defines a type called TrustAnchorInfo, which provides a much more general mechanism for modifying or constraining the ways in which a certificate is trusted. (For example, it can impose name constraints on a certificate, which OpenSSL's aux info cannot.)
Question 2: Has someone already worked out (and documented) a partial mapping between the OpenSSL Certificate+X509Aux data and TrustedAnchorInfo? Maybe one of the PKCS11 projects? Or is there a better alternative to TrustAnchorInfo?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|