p11-kit: invalid basic constraints certificate extension

Stef Walter stefw at redhat.com
Thu Aug 29 13:02:14 PDT 2013 

On 29.08.2013 17:35, Ludwig Nussel wrote:
> Stef Walter wrote:
>> On 27.08.2013 11:07, Ludwig Nussel wrote:
>>> p11-kit 0.19.3 chokes on a .p11-kit file generated by certdata2pem.py:
>>>
>>> (p11-kit:5031) loader_load_file: loaded:
>>> /usr/share/pki/trust/MITM_subCA_1_issued_by_Trustwave:2.4.107.73.210.5.p11-kit
>>>
>>> (p11-kit:5031) p11_asn1_decode: couldn't parse PKIX1.BasicConstraints:
>>> DER_ERROR:
>>> p11-kit: invalid basic constraints certificate extension
>>>
>>> The file has the following content:
>>> [p11-kit-object-v1]
>>> label: "MITM subCA 1 issued by Trustwave"
>>> class: certificate
>>> certificate-type: x-509
>>> issuer:
>>> "0%81%AB1%0B0%09%06%03U%04%06%13%02US1%110%0F%06%03U%04%08%13%08Illinois1%100%0E%06%03U%04%07%13%07Chicago1%210%1F%06%03U%04%0A%13%18Trustwave%20Holdings%2C%20Inc.1301%06%03U%04%03%13%2ATrustwave%20Organization%20Issuing%20CA%2C%20Level%2021%1F0%1D%06%09%2A%86H%86%F7%0D%01%09%01%16%10ca%40trustwave.com"
>>>
>>>
>>> serial-number: "%02%04kI%D2%05"
>>> x-distrusted: true
>>>
>>>
>>> Other .p11-kit files generated by certdata2pem.py work fine. Any idea
>>> what's wrong with that one?
>>
>> That's odd. I can't duplicate it. It doesn't seem to have
>> BasicConstraints information. Are you sure it's that file that it's
>> complaining about. Perhaps one that contains the BasicContstraints OID:
>> 2.5.29.19
> 
> There's something very weird going on. I tried moving certificates in
> and out and different combinations lead to different errors.
> I can reproduce the above error by only keeping the above cited file
> plus CNNIC_ROOT.pem. If I move all C*.pem files the error is gone.
> If I move a few back I get a different error:
> 
> (p11-kit:8539) loader_load_file: loaded:
> /usr/share/pki/trust/ComSign_CA.pem
> (p11-kit:8539) loader_load_file: loaded:
> /usr/share/pki/trust/Cybertrust_Global_Root.pem
> (p11-kit:8539) loader_load_file: loaded:
> /usr/share/pki/trust/MITM_subCA_1_issued_by_Trustwave:2.4.107.73.210.5.p11-kit
> 
> (p11-kit:8539) p11_asn1_decode: couldn't parse PKIX1.Extension:
> TAG_ERROR: :: tag error near element 'extnID.'
> p11-kit: 'node != NULL' not true at lookup_extension
> 
> It totally depends on the combination of certificates. Maybe there is an
> uninitialized value somewhere or some piece of memory gets reused.
> valgrind doesn't complain at least.

Very strange. Could you send me a tarball of the input files/directory
that cause this problem?

Stef

More information about the p11-glue mailing list