p11-kit: invalid basic constraints certificate extension

Ludwig Nussel ludwig.nussel at suse.de
Thu Aug 29 08:35:12 PDT 2013


Stef Walter wrote:
> On 27.08.2013 11:07, Ludwig Nussel wrote:
>> p11-kit 0.19.3 chokes on a .p11-kit file generated by certdata2pem.py:
>>
>> (p11-kit:5031) loader_load_file: loaded:
>> /usr/share/pki/trust/MITM_subCA_1_issued_by_Trustwave:2.4.107.73.210.5.p11-kit
>> (p11-kit:5031) p11_asn1_decode: couldn't parse PKIX1.BasicConstraints:
>> DER_ERROR:
>> p11-kit: invalid basic constraints certificate extension
>>
>> The file has the following content:
>> [p11-kit-object-v1]
>> label: "MITM subCA 1 issued by Trustwave"
>> class: certificate
>> certificate-type: x-509
>> issuer:
>> "0%81%AB1%0B0%09%06%03U%04%06%13%02US1%110%0F%06%03U%04%08%13%08Illinois1%100%0E%06%03U%04%07%13%07Chicago1%210%1F%06%03U%04%0A%13%18Trustwave%20Holdings%2C%20Inc.1301%06%03U%04%03%13%2ATrustwave%20Organization%20Issuing%20CA%2C%20Level%2021%1F0%1D%06%09%2A%86H%86%F7%0D%01%09%01%16%10ca%40trustwave.com"
>>
>> serial-number: "%02%04kI%D2%05"
>> x-distrusted: true
>>
>>
>> Other .p11-kit files generated by certdata2pem.py work fine. Any idea
>> what's wrong with that one?
>
> That's odd. I can't duplicate it. It doesn't seem to have
> BasicConstraints information. Are you sure it's that file that it's
> complaining about. Perhaps one that contains the BasicContstraints OID:
> 2.5.29.19

There's something very weird going on. I tried moving certificates in
and out and different combinations lead to different errors.
I can reproduce the above error by only keeping the above cited file
plus CNNIC_ROOT.pem. If I move all C*.pem files the error is gone.
If I move a few back I get a different error:

(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/ComSign_CA.pem
(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/Cybertrust_Global_Root.pem
(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/MITM_subCA_1_issued_by_Trustwave:2.4.107.73.210.5.p11-kit
(p11-kit:8539) p11_asn1_decode: couldn't parse PKIX1.Extension: TAG_ERROR: :: tag error near element 'extnID.'
p11-kit: 'node != NULL' not true at lookup_extension

It totally depends on the combination of certificates. Maybe there is an
uninitialized value somewhere or some piece of memory gets reused.
valgrind doesn't complain at least.

cu
Ludwig

-- 
  (o_   Ludwig Nussel
  //\
  V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
-------------- next part --------------
p11-kit: no filter specified, defaulting to 'ca-anchors'
(p11-kit:8539) p11_library_init_impl: initializing library
(p11-kit:8539) sys_C_Initialize: in
(p11-kit:8539) sys_C_Initialize: doing initialization
(p11-kit:8539) create_tokens_inlock: using paths: /etc/pki/trust:/usr/share/pki/trust
(p11-kit:8539) p11_token_new: token: System Trust: /etc/pki/trust
(p11-kit:8539) p11_token_new: token: Default Trust: /usr/share/pki/trust
(p11-kit:8539) sys_C_Initialize: out: 0x0
(p11-kit:8539) sys_C_GetInfo: in
(p11-kit:8539) sys_C_GetInfo: out: 0x0
(p11-kit:8539) sys_C_GetSlotList: in
(p11-kit:8539) sys_C_GetSlotList: out: 0x0
(p11-kit:8539) sys_C_GetSlotList: in
(p11-kit:8539) sys_C_GetSlotList: out: 0x0
(p11-kit:8539) sys_C_GetTokenInfo: in
(p11-kit:8539) sys_C_GetTokenInfo: out: 0x0
(p11-kit:8539) sys_C_OpenSession: in
(p11-kit:8539) sys_C_OpenSession: session: 18
(p11-kit:8539) sys_C_OpenSession: out: 0x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 18, (3) [ { CKA_CLASS = CKO_CERTIFICATE }, { CKA_CERTIFICATE_CATEGORY = 2 (authority) }, { CKA_CERTIFICATE_TYPE = CKC_X_509 } ]
(p11-kit:8539) loader_load_file: loaded: /etc/pki/trust/anchors/SUSE_Trust_Root.crt.pem
(p11-kit:8539) loader_load_file: skipped: /etc/pki/trust/anchors/log
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 18, 64
(p11-kit:8539) sys_C_FindObjects: out: 0x12, 1
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetAttributeValue: in: 18, 19
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) NULL }, { CKA_CLASS = (8) NULL }, { CKA_CERTIFICATE_TYPE = (8) NULL }, { CKA_LABEL = (15) NULL }, { CKA_VALUE = (1772) NOT-PRINTED }, { CKA_SUBJECT = (171) NULL }, { CKA_ISSUER = (171) NULL }, { CKA_TRUSTED = (1) NULL }, { CKA_CERTIFICATE_CATEGORY = (8) NULL }, { CKA_X_DISTRUSTED = (1) NULL }, { CKA_X_PUBLIC_KEY_INFO = (550) NULL } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 18, 19
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) "\xb8\xdcH\xe8\xd9L`\xb0\x118\xeb&m\xc24\xe5\xfa,\xccn" }, { CKA_CLASS = CKO_CERTIFICATE }, { CKA_CERTIFICATE_TYPE = CKC_X_509 }, { CKA_LABEL = (15) "SUSE Trust Root" }, { CKA_VALUE = (1772) NOT-PRINTED }, { CKA_SUBJECT = (171) "0\x81\xa81\x0b0\t\x06\x03U\x04\x06\x13\x02DE1\x120\x10\x06\x03U\x04\x08\x13\tFranconia1\x120\x10\x06\x03U\x04\x07\x13\tNuremberg1!0\x1f\x06\x03U\x04\n\x13\x18SUSE Linux Products GmbH1\x150\x13\x06\x03U\x04\x0b\x13\x0cOPS Serv
(p11-kit:8539) sys_C_FindObjectsInit: in: 18, (2) [ { CKA_VALUE = (1772) NOT-PRINTED }, { CKA_X_DISTRUSTED = (1) "\x01" } ]
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 18, 1
(p11-kit:8539) sys_C_FindObjects: out: 0x12, 0
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetSessionInfo: in
(p11-kit:8539) sys_C_GetSessionInfo: out: 0x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 18, (2) [ { CKA_CLASS = CKO_X_CERTIFICATE_EXTENSION }, { CKA_X_PUBLIC_KEY_INFO = (550) "0\x82\x02"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x02\x0f\x000\x82\x02\n\x02\x82\x02\x01\x00\xd7rWy\x11309q\t\xd5\x9b\xdd\xbc\x04\x7f\xde\xe5\xf86=\xbf\t\xdc\xe5\x13\xe2=/\x80vp\xde\x87\x10\x8cK<\xcb\xd2o\xd6\x97\xe4\x9a\t|\x98A;\xaa-\xc0Fo\xb8!\x8c2\x98\xc10\xdf\x8ei\x9c\xa1r\xfc<\xa0/\x11\x0c\x89\x84\xc0\r\x98\x02\x02\x80\xb0\x90r\xda\x8em\xc6\xfb=2W\xf0\xb8..." } ]
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 18, 64
(p11-kit:8539) sys_C_FindObjects: out: 0x12, 0
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_CloseSession: in
(p11-kit:8539) sys_C_CloseSession: out: 0x0
(p11-kit:8539) sys_C_GetTokenInfo: in
(p11-kit:8539) sys_C_GetTokenInfo: out: 0x0
(p11-kit:8539) sys_C_OpenSession: in
(p11-kit:8539) sys_C_OpenSession: session: 29
(p11-kit:8539) sys_C_OpenSession: out: 0x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 29, (3) [ { CKA_CLASS = CKO_CERTIFICATE }, { CKA_CERTIFICATE_CATEGORY = 2 (authority) }, { CKA_CERTIFICATE_TYPE = CKC_X_509 } ]
(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/ComSign_CA.pem
(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/Cybertrust_Global_Root.pem
(p11-kit:8539) loader_load_file: loaded: /usr/share/pki/trust/MITM_subCA_1_issued_by_Trustwave:2.4.107.73.210.5.p11-kit
(p11-kit:8539) p11_asn1_decode: couldn't parse PKIX1.Extension: TAG_ERROR: :: tag error near element 'extnID.'
p11-kit: 'node != NULL' not true at lookup_extension
(p11-kit:8539) loader_load_file: skipped: /usr/share/pki/trust/log
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 29, 64
(p11-kit:8539) sys_C_FindObjects: out: 0x1d, 2
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 31
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) NULL }, { CKA_CLASS = (8) NULL }, { CKA_CERTIFICATE_TYPE = (8) NULL }, { CKA_LABEL = (10) NULL }, { CKA_VALUE = (919) NOT-PRINTED }, { CKA_SUBJECT = (54) NULL }, { CKA_ISSUER = (54) NULL }, { CKA_TRUSTED = (1) NULL }, { CKA_CERTIFICATE_CATEGORY = (8) NULL }, { CKA_X_DISTRUSTED = (1) NULL }, { CKA_X_PUBLIC_KEY_INFO = (294) NULL } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 31
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) ".\xc6\x15h\xb72\xe2\xea9k\x9e3\xc0=mx7\xd9\x8f:" }, { CKA_CLASS = CKO_CERTIFICATE }, { CKA_CERTIFICATE_TYPE = CKC_X_509 }, { CKA_LABEL = (10) "ComSign CA" }, { CKA_VALUE = (919) NOT-PRINTED }, { CKA_SUBJECT = (54) "041\x130\x11\x06\x03U\x04\x03\x13\nComSign CA1\x100\x0e\x06\x03U\x04\n\x13\x07ComSign1\x0b0\t\x06\x03U\x04\x06\x13\x02IL" }, { CKA_ISSUER = (54) "041\x130\x11\x06\x03U\x04\x03\x13\nComSign CA1\x100\x0e\x06\x03U\x04\n\x13\x07ComSign1\x0b0\
(p11-kit:8539) sys_C_FindObjectsInit: in: 29, (2) [ { CKA_VALUE = (919) NOT-PRINTED }, { CKA_X_DISTRUSTED = (1) "\x01" } ]
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 29, 1
(p11-kit:8539) sys_C_FindObjects: out: 0x1d, 0
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetSessionInfo: in
(p11-kit:8539) sys_C_GetSessionInfo: out: 0x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 29, (2) [ { CKA_CLASS = CKO_X_CERTIFICATE_EXTENSION }, { CKA_X_PUBLIC_KEY_INFO = (294) "0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xf0\xe4Ti+\xd3\xc7\x8fjD\xe4~X'\xf8\x0b\xd0\xe4\x94\x12\x8a\xf1\x1b88/\x1f1\x9c\x06\xd4,\xa7\xde\x0b*\xae\x1a\xa0\xe3\x9ej\xbf\x9f<\xc7n\xa2\xf9\x8bdl:\xad\x85UQT\xa58U\xb8\xab\x83\x04\xf2?d6\xf7\xc0\x8dCCjf\xd1\xf7\x17*\xd5\xef6\xfa0\x10B\xd7S\xcd\xf9\xfa3sL..." } ]
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 29, 64
(p11-kit:8539) sys_C_FindObjects: out: 0x1d, 1
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 30
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (1) [ { CKA_VALUE = (24) NOT-PRINTED } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 30
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (1) [ { CKA_VALUE = (24) NOT-PRINTED } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 36
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) NULL }, { CKA_CLASS = (8) NULL }, { CKA_CERTIFICATE_TYPE = (8) NULL }, { CKA_LABEL = (22) NULL }, { CKA_VALUE = (933) NOT-PRINTED }, { CKA_SUBJECT = (61) NULL }, { CKA_ISSUER = (61) NULL }, { CKA_TRUSTED = (1) NULL }, { CKA_CERTIFICATE_CATEGORY = (8) NULL }, { CKA_X_DISTRUSTED = (1) NULL }, { CKA_X_PUBLIC_KEY_INFO = (294) NULL } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 36
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (11) [ { CKA_ID = (20) "\x99\x80\xbf|\xf4P\x8b\xa2\xd0L\xe3\xa1\x86\xe4\xf3\x82q\x1e\x0c\xc7" }, { CKA_CLASS = CKO_CERTIFICATE }, { CKA_CERTIFICATE_TYPE = CKC_X_509 }, { CKA_LABEL = (22) "Cybertrust Global Root" }, { CKA_VALUE = (933) NOT-PRINTED }, { CKA_SUBJECT = (61) "0;1\x180\x16\x06\x03U\x04\n\x13\x0fCybertrust, Inc1\x1f0\x1d\x06\x03U\x04\x03\x13\x16Cybertrust Global Root" }, { CKA_ISSUER = (61) "0;1\x180\x16\x06\x03U\x04\n\x13\x0fCybertrust, Inc1\x1f0\x1d\x06\x03U\x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 29, (2) [ { CKA_VALUE = (933) NOT-PRINTED }, { CKA_X_DISTRUSTED = (1) "\x01" } ]
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 29, 1
(p11-kit:8539) sys_C_FindObjects: out: 0x1d, 0
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetSessionInfo: in
(p11-kit:8539) sys_C_GetSessionInfo: out: 0x0
(p11-kit:8539) sys_C_FindObjectsInit: in: 29, (2) [ { CKA_CLASS = CKO_X_CERTIFICATE_EXTENSION }, { CKA_X_PUBLIC_KEY_INFO = (294) "0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xf8\xc8\xbc\xbd\x14Pf\x13\xff\xf0\xd3y\xec#\xf2\xb7\x1a\xc7\x8e\x85\xf1\x12s\xa6\x19\xaa\x10\xdb\x9c\xa2etZw>Q}V\xf6\xdc#\xb6\xd4\xed_X\xb17M\xd5I\x0en\xf5j\x87\xd6\xd2\x8c\xd2'\xc6\xe2\xff6\x9f\x98e\xa0\x13N\xc6*d\x9b\xd5\x90\x12\xcf\x14\x06\xf4;\xe3\xd4(\xbe\xe8\x0e\xf8\xabNH\x94m..." }
(p11-kit:8539) sys_C_FindObjectsInit: out: 0x0
(p11-kit:8539) sys_C_FindObjects: in: 29, 64
(p11-kit:8539) sys_C_FindObjects: out: 0x1d, 1
(p11-kit:8539) sys_C_FindObjectsFinal: in
(p11-kit:8539) sys_C_FindObjectsFinal: out: 0x0
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 35
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (1) [ { CKA_VALUE = (24) NOT-PRINTED } ]
(p11-kit:8539) sys_C_GetAttributeValue: in: 29, 35
(p11-kit:8539) sys_C_GetAttributeValue: out: 0x0 (1) [ { CKA_VALUE = (24) NOT-PRINTED } ]
(p11-kit:8539) sys_C_CloseSession: in
(p11-kit:8539) sys_C_CloseSession: out: 0x0
(p11-kit:8539) sys_C_Finalize: in
(p11-kit:8539) sys_C_Finalize: doing finalization
(p11-kit:8539) sys_C_Finalize: out: 0x0
(p11-kit:8539) uninit_common: uninitializing library


More information about the p11-glue mailing list