Request for help with troubleshooting "p11-kit: invalid basic constraints certificate extension"
Stef Walter
stefw at redhat.com
Fri Aug 8 06:26:34 PDT 2014
On 08.08.2014 13:37, Ludwig Nussel wrote:
> Stef Walter schrieb:
>> On 08.08.2014 13:14, Ludwig Nussel wrote:
>>> Stef Walter schrieb:
>>>> On 07.08.2014 17:17, grantksupport at operamail.com wrote:
>>>>> When I exec
>>>>>
>>>>> /usr/sbin/update-ca-certificates -v -f
>>>>>
>>>>> some -- NOT all! -- of my machines return a some "p11-kit: invalid
>>>>> basic constraints certificate extension" messages,
>>>>
>>>> Could you try out the patches attached to the following bug, and let me
>>>> know if it fixes the problem for you?
>>>>
>>>> https://bugs.freedesktop.org/show_bug.cgi?id=82328
>>>
>>> I've applied that patches to the 13.1 package:
>>> http://download.opensuse.org/repositories/home:/lnussel:/branches:/openSUSE:/13.1:/Update/standard/
>>>
>>
>> Does it fix the issue? Looking for someone else to test it.
>
> In the VM I have it fixes the NULL warnings. I didn't see the error
> message the original reporter had.
>
>>> Just curious, why does the code path hit a point where it sees an
>>> invalid public key?
>>
>> This line sets the type field to CKA_INVALID, but then other code still
>> assumed the struct was valid without checking the type field.
>>
>> http://cgit.freedesktop.org/p11-glue/p11-kit/tree/trust/builder.c?h=stable#n643
>>
>
> That can only happen for .p11-kit files, right?
Yes, there is currently no other way to store certificate info without
also having a public key at hand.
Stef
More information about the p11-glue
mailing list