Bug 82328 - p11-kit: invalid basic constraints certificate extension
Summary: p11-kit: invalid basic constraints certificate extension
Status: RESOLVED FIXED
Alias: None
Product: p11-glue
Classification: Unclassified
Component: p11-kit (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-08 06:46 UTC by Stef Walter
Modified: 2014-09-05 10:18 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
trust: Print label of certificate when complaining about basic constraints (1.23 KB, patch)
2014-08-08 06:49 UTC, Stef Walter 		Details | Splinter Review
trust: Don't use invalid public keys for looking up stapled extensions (785 bytes, patch)
2014-08-08 06:49 UTC, Stef Walter 		Details | Splinter Review
View All

Description Stef Walter 2014-08-08 06:46:56 UTC 
There seems to be a problem when parsing certificates in the p11-kit-trust module and we get lots of messages like this:

p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
Comment 1 Stef Walter 2014-08-08 06:49:46 UTC 
Created attachment 104255 [details] [review]
trust: Print label of certificate when complaining about basic constraints
Comment 2 Stef Walter 2014-08-08 06:49:47 UTC 
Created attachment 104256 [details] [review]
trust: Don't use invalid public keys for looking up stapled extensions
Comment 3 Stef Walter 2014-08-08 06:50:07 UTC 
The latter patch is the one that actually fixes the issue.
Comment 4 grantksupport 2014-08-08 14:36:19 UTC 
Applying patches from above, discussed @

	http://lists.freedesktop.org/archives/p11-glue/2014-August/000457.html

& pkg'd in

	http://download.opensuse.org/repositories/home:/lnussel:/branches:/openSUSE:/13.1:/Update/standard/ 

Upgrading
	
	zypper dup --from BUG_freedesktop_82328
		...
		The following 4 packages are going to change vendor:
		  libp11-kit0    0.20.1-2.1.2 -> 0.20.1-2.3.1  openSUSE -> obs://build.opensuse.org/home:lnussel
		  p11-kit        0.20.1-2.1.2 -> 0.20.1-2.3.1  openSUSE -> obs://build.opensuse.org/home:lnussel
		  p11-kit-devel  0.20.1-2.1.2 -> 0.20.1-2.3.1  openSUSE -> obs://build.opensuse.org/home:lnussel
		  p11-kit-tools  0.20.1-2.1.2 -> 0.20.1-2.3.1  openSUSE -> obs://build.opensuse.org/home:lnussel
		...

returning the errant *p11-kit files,

	mv /usr/share/pki/trust/TEMP/*p11-kit \
	   /usr/share/pki/trust/

testing

	/usr/sbin/update-ca-certificates -v -f

now proceeds without error

	/usr/sbin/update-ca-certificates -v -f
		running /usr/lib/ca-certificates/update.d/certbundle.run ...
		creating /var/lib/ca-certificates/ca-bundle.pem ...
		running /usr/lib/ca-certificates/update.d/etc_ssl.run ...
		Updating certificates in /etc/ssl/certs...
		Doing .
		...
		0 added, 0 removed.
		running /usr/lib/ca-certificates/update.d/java.run ...
		creating /var/lib/ca-certificates/java-cacerts ...
		running /usr/lib/ca-certificates/update.d/openssl.run ...
		creating /var/lib/ca-certificates/openssl ...
Comment 5 Stef Walter 2014-08-08 15:43:10 UTC 
Thanks for testing. Pushed to stable branch, will merge to master later.

Attachment 104255 [details] pushed as c48baeb - trust: Print label of certificate when complaining about basic constraints
Attachment 104256 [details] pushed as c6cbda8 - trust: Don't use invalid public keys for looking up stapled extensions
Comment 6 Stef Walter 2014-09-05 10:18:41 UTC 
Another related commit:

commit dc55d9d5fc5d904f0bc3c06ba3caf64483b18fa9
Author: Stef Walter <stefw@redhat.com>
Date:   Fri Sep 5 11:29:05 2014 +0200

    trust: Produce a proper message for an invalid stapled extension
    
    Previously we would output a line like this:
    
    p11-kit: 'node != NULL' not true at lookup_extension

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.