Request for help with troubleshooting "p11-kit: invalid basic constraints certificate extension"
Stef Walter
stefw at redhat.com
Fri Aug 8 04:24:30 PDT 2014
On 08.08.2014 13:14, Ludwig Nussel wrote:
> Stef Walter schrieb:
>> On 07.08.2014 17:17, grantksupport at operamail.com wrote:
>>> I've tried repeatedly to get subscribed @ p11-glue LIST; can't seem
>>> to get a response from the list daemon. So, mailing you directly --
>>> hoping you might spare a moment to comment?
>>>
>>> I run Opensuse 13.1
>>>
>>> I've installed,
>>>
>>> rpm -qa | egrep -i "ca-certificates|pkcs11" | sort
>>> ca-certificates-1_201312011643-4.1.noarch
>>> ca-certificates-cacert-1-15.1.2.noarch
>>> ca-certificates-mozilla-1.97-3.12.1.noarch
>>> libpkcs11-helper1-1.09-5.1.2.x86_64 pam_pkcs11-0.6.8-4.1.1.x86_64
>>> pkcs11-helper-1.09-5.1.2.x86_64
>>>
>>> When I exec
>>>
>>> /usr/sbin/update-ca-certificates -v -f
>>>
>>> some -- NOT all! -- of my machines return a some "p11-kit: invalid
>>> basic constraints certificate extension" messages,
>>
>> Could you try out the patches attached to the following bug, and let me
>> know if it fixes the problem for you?
>>
>> https://bugs.freedesktop.org/show_bug.cgi?id=82328
>
> I've applied that patches to the 13.1 package:
> http://download.opensuse.org/repositories/home:/lnussel:/branches:/openSUSE:/13.1:/Update/standard/
Does it fix the issue? Looking for someone else to test it.
> Just curious, why does the code path hit a point where it sees an
> invalid public key?
This line sets the type field to CKA_INVALID, but then other code still
assumed the struct was valid without checking the type field.
http://cgit.freedesktop.org/p11-glue/p11-kit/tree/trust/builder.c?h=stable#n643
Stef
More information about the p11-glue
mailing list