Request for help with troubleshooting "p11-kit: invalid basic constraints certificate extension"
stefw at redhat.com
Fri Aug 8 04:24:30 PDT 2014
On 08.08.2014 13:14, Ludwig Nussel wrote:
> Stef Walter schrieb:
>> On 07.08.2014 17:17, grantksupport at operamail.com wrote:
>>> I've tried repeatedly to get subscribed @ p11-glue LIST; can't seem
>>> to get a response from the list daemon. So, mailing you directly --
>>> hoping you might spare a moment to comment?
>>> I run Opensuse 13.1
>>> I've installed,
>>> rpm -qa | egrep -i "ca-certificates|pkcs11" | sort
>>> libpkcs11-helper1-1.09-5.1.2.x86_64 pam_pkcs11-0.6.8-4.1.1.x86_64
>>> When I exec
>>> /usr/sbin/update-ca-certificates -v -f
>>> some -- NOT all! -- of my machines return a some "p11-kit: invalid
>>> basic constraints certificate extension" messages,
>> Could you try out the patches attached to the following bug, and let me
>> know if it fixes the problem for you?
> I've applied that patches to the 13.1 package:
Does it fix the issue? Looking for someone else to test it.
> Just curious, why does the code path hit a point where it sees an
> invalid public key?
This line sets the type field to CKA_INVALID, but then other code still
assumed the struct was valid without checking the type field.
More information about the p11-glue