Bug 1006034

Summary: stapling of an extension in p11-kit-trust (sometimes) doesn't work - Heisenbug?
Product: [Fedora] Fedora Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: kengert, mclasen, stefw, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: p11-kit-0.18.7-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1007812 (view as bug list) Environment:
Last Closed: 2013-11-03 04:33:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1007812    
Attachments:
Description Flags
Test case for bug where stapled extensions don't apply none

Description Kai Engert (:kaie) (inactive account) 2013-09-09 20:03:25 UTC 
I spent a few hours testing bug 989013, bug was constantly puzzled by behaviour. Related background information can be found in that bug 989013 comment 11.

I *sometimes* was able to reproduce the following, but then again, I couldn't.

- use a fully updated f19 system (which includes p11-kit 0.18.5)
- however, use the older ca-certificates package 
     ca-certificates-2012.87-10.2.fc19.noarch
  which contains the older Entrust 2048 root (the one lacking basic constraints)
  and which requires the stapled attributes found in
     /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
  to be accepted by p11-kit-trust as a valid cert.

During one period of time, evolution + firefox listed the certificate as absent, indicating that stapling isn't working.

(I'm worried this unreliable stapling might also cause the distrust stapling to not be effective.)

But then, after experimenting a lot, suddenly evolution + firefox showed the certificate. And even after I edited the ca-bundle.supplement.p11-kit file and removed the stapling section for the entrust root, the entrust 2048 root was still shown and listed as trusted.

I fully agree what I saw doesn't make sense, and I wish I could present more consistent test results, but right now I can't.

Bug 989013 is evidence that we do have an incorrect behaviour. People should have never seen the old Entrust root as untrusted, because we always shipped those stapling bits, and the newer ca-certificates (which was shipped just a few days ago) doesn't need the stapling bits.

I had a hard time reproducing bug 989013 in the beginning, then I suddenly was able to reproduce. While trying to upgrade/downgrade packages and reset configurations, even restoring earlier non-reproducing configurations, I still saw the bug. And then suddenly I couldn't reproduce the bug any more, regardless of installed versions and configuration.
Comment 1 Stef Walter 2013-09-13 10:17:57 UTC 
Sounds bad. Investigating.

(In reply to Kai Engert (:kaie) from comment #0)
> (I'm worried this unreliable stapling might also cause the distrust stapling
> to not be effective.)

For what it's worth, we don't use stapling to do distrust in Fedora 19 ca-certificates. So there's likely less cause for worry.
Comment 2 Stef Walter 2013-09-13 10:26:06 UTC 
Created attachment 797260 [details]
Test case for bug where stapled extensions don't apply

Seems to happen if loaded after certificate.
Comment 3 Stef Walter 2013-09-13 10:27:32 UTC 
Can reproduce. This is a race condition. The attached patch makes the tests fail.

The problem is where the certificate is loaded before the stapled certificate extension. We have code to account for loading both ways, however it seems to be broken.
Comment 4 Stef Walter 2013-09-13 10:29:17 UTC 
Test case failure, when above patch is applied.

.......F.......................

There was 1 failure:
1) test_build_certificate_staple_ca_backwards: test-builder.c:470: attribute does not match: expected { CKA_CERTIFICATE_CATEGORY = 2 (authority) } but found { CKA_CERTIFICATE_CATEGORY = 3 (other-entry) }

!!!FAILURES!!!
Runs: 31 Passes: 30 Fails: 1

FAIL: test-builder
Comment 5 Stef Walter 2013-09-13 11:28:18 UTC 
Patch upstream.
Comment 6 Stef Walter 2013-09-13 11:44:13 UTC 
Scratch build with the upstream patch.

http://koji.fedoraproject.org/koji/taskinfo?taskID=5930658
Comment 7 Stef Walter 2013-10-10 04:40:20 UTC 
Kai, have you had a chance to test this patch?
Comment 8 Fedora Update System 2013-10-14 12:44:37 UTC 
p11-kit-0.18.7-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/p11-kit-0.18.7-1.fc19
Comment 9 Kai Engert (:kaie) (inactive account) 2013-10-15 20:09:24 UTC 
(In reply to Stef Walter from comment #7)
> Kai, have you had a chance to test this patch?

No, given how painful it was to test this issue, and how intermittent it was, I'd prefer if you could come up with a good testing strategy.
Comment 10 Stef Walter 2013-10-15 20:10:58 UTC 
Understood ... We have an upstream test case for this. So I've pushed this an an update to fix the issue. As you noted, it should be rare to run into this, given it's intermitancy and the fact that we now have a better Entrust Root CA cert.
Comment 11 Fedora Update System 2013-10-18 19:36:04 UTC 
Package p11-kit-0.18.7-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing p11-kit-0.18.7-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19259/p11-kit-0.18.7-1.fc19
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2013-11-03 04:33:05 UTC 
p11-kit-0.18.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.