Bug 1130485

Summary: warning "CKA_X_CRITICAL attribute is not valid for the object" when using the p11-kit-trust module
Product: Red Hat Enterprise Linux 7 Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: amarecek, djasa, kengert, ksrot, pvrabec, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ca-certificates-2014.1.98-72.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:36:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 988745    
Bug Blocks:    
Attachments:
Description Flags
Commit to ca-certificates that fixes the issue
none
Commit which removes Entrust stapled certificate extension none

Description Nikos Mavrogiannopoulos 2014-08-15 11:18:46 UTC
I've updated gnutls to use the p11-kit trust module and tested it in RHEL-7.0. Running the following command shows:
$ gnutls-cli www.amazon.com
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

So it seems there is some issue either in ca-certificates in RHEL-7.0 or p11-kit trust module in RHEL-7.1.

Comment 2 Stef Walter 2014-08-15 11:58:22 UTC
Yes, with a rebase to 0.20.x we'll probably need to update from the one .p11-kit file from the interim format that was used in F19 and RHEL 6/7

Comment 3 Stef Walter 2014-09-05 12:29:09 UTC
This is related to #988745, which was the same issue on Fedora.

Comment 4 Stef Walter 2014-09-05 12:38:37 UTC
Created attachment 934767 [details]
Commit to ca-certificates that fixes the issue

This commit brings over the fix from Fedora. 

Scratch build here: https://brewweb.devel.redhat.com/taskinfo?taskID=7923453

Comment 6 Stef Walter 2014-09-05 13:16:27 UTC
Hmmm, I'm not sure this stapled extension is necessary any more. The Entrust Root seems to have BasicConstraints.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1164660820 (0x456b5054)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
 reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
        Validity
            Not Before: Nov 27 20:23:42 2006 GMT
            Not After : Nov 27 20:53:42 2026 GMT
        Subject: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated b
y reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:95:b6:43:42:fa:c6:6d:2a:6f:48:df:94:4c:
                    39:57:05:ee:c3:79:11:41:68:36:ed:ec:fe:9a:01:
                    8f:a1:38:28:fc:f7:10:46:66:2e:4d:1e:1a:b1:1a:
                    4e:c6:d1:c0:95:88:b0:c9:ff:31:8b:33:03:db:b7:
                    83:7b:3e:20:84:5e:ed:b2:56:28:a7:f8:e0:b9:40:
                    71:37:c5:cb:47:0e:97:2a:68:c0:22:95:62:15:db:
                    47:d9:f5:d0:2b:ff:82:4b:c9:ad:3e:de:4c:db:90:
                    80:50:3f:09:8a:84:00:ec:30:0a:3d:18:cd:fb:fd:
                    2a:59:9a:23:95:17:2c:45:9e:1f:6e:43:79:6d:0c:
                    5c:98:fe:48:a7:c5:23:47:5c:5e:fd:6e:e7:1e:b4:
                    f6:68:45:d1:86:83:5b:a2:8a:8d:b1:e3:29:80:fe:
                    25:71:88:ad:be:bc:8f:ac:52:96:4b:aa:51:8d:e4:
                    13:31:19:e8:4e:4d:9f:db:ac:b3:6a:d5:bc:39:54:
                    71:ca:7a:7a:7f:90:dd:7d:1d:80:d9:81:bb:59:26:
                    c2:11:fe:e6:93:e2:f7:80:e4:65:fb:34:37:0e:29:
                    80:70:4d:af:38:86:2e:9e:7f:57:af:9e:17:ae:eb:
                    1c:cb:28:21:5f:b6:1c:d8:e7:a2:04:22:f9:d3:da:
                    d8:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Private Key Usage Period: 
                Not Before: Nov 27 20:23:42 2006 GMT, Not After: Nov 27 20:53:42 2026 GMT
            X509v3 Authority Key Identifier: 
                keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D

            X509v3 Subject Key Identifier: 
                68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D
            1.2.840.113533.7.65.0: 
                0...V7.1:4.0....
    Signature Algorithm: sha1WithRSAEncryption
         93:d4:30:b0:d7:03:20:2a:d0:f9:63:e8:91:0c:05:20:a9:5f:
         19:ca:7b:72:4e:d4:b1:db:d0:96:fb:54:5a:19:2c:0c:08:f7:
         b2:bc:85:a8:9d:7f:6d:3b:52:b3:2a:db:e7:d4:84:8c:63:f6:
         0f:cb:26:01:91:50:6c:f4:5f:14:e2:93:74:c0:13:9e:30:3a:
         50:e3:b4:60:c5:1c:f0:22:44:8d:71:47:ac:c8:1a:c9:e9:9b:
         9a:00:60:13:ff:70:7e:5f:11:4d:49:1b:b3:15:52:7b:c9:54:
         da:bf:9d:95:af:6b:9a:d8:9e:e9:f1:e4:43:8d:e2:11:44:3a:
         bf:af:bd:83:42:73:52:8b:aa:bb:a7:29:cf:f5:64:1c:0a:4d:
         d1:bc:aa:ac:9f:2a:d0:ff:7f:7f:da:7d:ea:b1:ed:30:25:c1:
         84:da:34:d2:5b:78:83:56:ec:9c:36:c3:26:e2:11:f6:67:49:
         1d:92:ab:8c:fb:eb:ff:7a:ee:85:4a:a7:50:80:f0:a7:5c:4a:
         94:2e:5f:05:99:3c:52:41:e0:cd:b4:63:cf:01:43:ba:9c:83:
         dc:8f:60:3b:f3:5a:b4:b4:7b:ae:da:0b:90:38:75:ef:81:1d:
         66:d2:f7:57:70:36:b3:bf:fc:28:af:71:25:85:5b:13:fe:1e:
         7f:5a:b4:3c
Trusted Uses:
  TLS Web Server Authentication
No Rejected Uses.
Alias: Entrust Root Certification Authority

Comment 7 Stef Walter 2014-09-05 14:17:14 UTC
No, this here is the right certificate, as evidenced by the subject key identifier in the patch:  %55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70

As you can see it already has BasicConstraints. So our additional stapled certificate extension is not necessary. Will attach a patch that removes it.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 946069240 (0x3863def8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Validity
            Not Before: Dec 24 17:50:51 1999 GMT
            Not After : Jul 24 14:15:12 2029 GMT
        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:4d:4b:a9:12:86:b2:ea:a3:20:07:15:16:64:
                    2a:2b:4b:d1:bf:0b:4a:4d:8e:ed:80:76:a5:67:b7:
                    78:40:c0:73:42:c8:68:c0:db:53:2b:dd:5e:b8:76:
                    98:35:93:8b:1a:9d:7c:13:3a:0e:1f:5b:b7:1e:cf:
                    e5:24:14:1e:b1:81:a9:8d:7d:b8:cc:6b:4b:03:f1:
                    02:0c:dc:ab:a5:40:24:00:7f:74:94:a1:9d:08:29:
                    b3:88:0b:f5:87:77:9d:55:cd:e4:c3:7e:d7:6a:64:
                    ab:85:14:86:95:5b:97:32:50:6f:3d:c8:ba:66:0c:
                    e3:fc:bd:b8:49:c1:76:89:49:19:fd:c0:a8:bd:89:
                    a3:67:2f:c6:9f:bc:71:19:60:b8:2d:e9:2c:c9:90:
                    76:66:7b:94:e2:af:78:d6:65:53:5d:3c:d6:9c:b2:
                    cf:29:03:f9:2f:a4:50:b2:d4:48:ce:05:32:55:8a:
                    fd:b2:64:4c:0e:e4:98:07:75:db:7f:df:b9:08:55:
                    60:85:30:29:f9:7b:48:a4:69:86:e3:35:3f:1e:86:
                    5d:7a:7a:15:bd:ef:00:8e:15:22:54:17:00:90:26:
                    93:bc:0e:49:68:91:bf:f8:47:d3:9d:95:42:c1:0e:
                    4d:df:6f:26:cf:c3:18:21:62:66:43:70:d6:d5:c0:
                    07:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
    Signature Algorithm: sha1WithRSAEncryption
         3b:9b:8f:56:9b:30:e7:53:99:7c:7a:79:a7:4d:97:d7:19:95:
         90:fb:06:1f:ca:33:7c:46:63:8f:96:66:24:fa:40:1b:21:27:
         ca:e6:72:73:f2:4f:fe:31:99:fd:c8:0c:4c:68:53:c6:80:82:
         13:98:fa:b6:ad:da:5d:3d:f1:ce:6e:f6:15:11:94:82:0c:ee:
         3f:95:af:11:ab:0f:d7:2f:de:1f:03:8f:57:2c:1e:c9:bb:9a:
         1a:44:95:eb:18:4f:a6:1f:cd:7d:57:10:2f:9b:04:09:5a:84:
         b5:6e:d8:1d:3a:e1:d6:9e:d1:6c:79:5e:79:1c:14:c5:e3:d0:
         4c:93:3b:65:3c:ed:df:3d:be:a6:e5:95:1a:c3:b5:19:c3:bd:
         5e:5b:bb:ff:23:ef:68:19:cb:12:93:27:5c:03:2d:6f:30:d0:
         1e:b6:1a:ac:de:5a:f7:d1:aa:a8:27:a6:fe:79:81:c4:79:99:
         33:57:ba:12:b0:a9:e0:42:6c:93:ca:56:de:fe:6d:84:0b:08:
         8b:7e:8d:ea:d7:98:21:c6:f3:e7:3c:79:2f:5e:9c:d1:4c:15:
         8d:e1:ec:22:37:cc:9a:43:0b:97:dc:80:90:8d:b3:67:9b:6f:
         48:08:15:56:cf:bf:f1:2b:7c:5e:9a:76:e9:59:90:c5:7c:83:
         35:11:65:51
Trusted Uses:
  Code Signing, E-mail Protection, TLS Web Server Authentication
No Rejected Uses.
Alias: Entrust.net Premium 2048 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----

Comment 8 Stef Walter 2014-09-05 14:22:51 UTC
How to verify this fix. The following should have identical output in RHEL 7.0 and RHEL 7.1:

$ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test
$ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
# Entrust.net Premium 2048 Secure Server CA

Comment 9 Stef Walter 2014-09-05 14:24:27 UTC
Created attachment 934818 [details]
Commit which removes Entrust stapled certificate extension

Comment 10 Stef Walter 2014-09-05 14:30:34 UTC
Scratch build with new fix that removes Entrust stapled certificate extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967

Comment 11 David Jaša 2014-09-08 08:10:22 UTC
(In reply to Stef Walter from comment #8)
> How to verify this fix. The following should have identical output in RHEL
> 7.0 and RHEL 7.1:
> 
> $ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment
> --purpose=server-auth --overwrite /tmp/test
> $ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
> # Entrust.net Premium 2048 Secure Server CA

(In reply to Stef Walter from comment #10)
> Scratch build with new fix that removes Entrust stapled certificate
> extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967

Works for me:

bash-4.2$ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
bash-4.2$ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
# Entrust.net Premium 2048 Secure Server CA
bash-4.2$

Comment 12 Stef Walter 2014-09-08 08:12:25 UTC
Thanks for trying it out.

I see the 'invalid basic constraints certificate extension' errors there. Could you attach (or email me, if it's sensitive) the output of the following:

$ tar -czvf ~/ca-trust-source.tgz /etc/pki/ca-trust/source /usr/share/pki/ca-trust-source

Comment 13 David Jaša 2014-09-08 08:37:08 UTC
Created attachment 935274 [details]
ca trust source

Comment 14 Stef Walter 2014-09-08 20:32:45 UTC
(In reply to Stef Walter from comment #12)
> Thanks for trying it out.
> 
> I see the 'invalid basic constraints certificate extension' errors there.

Hmmm, I can't duplicate this. What version of p11-kit-trust do you have installed?

Comment 15 David Jaša 2014-09-08 21:57:13 UTC
(In reply to Stef Walter from comment #14)
> (In reply to Stef Walter from comment #12)
> > Thanks for trying it out.
> > 
> > I see the 'invalid basic constraints certificate extension' errors there.
> 
> Hmmm, I can't duplicate this. What version of p11-kit-trust do you have
> installed?

p11-kit-trust-0.20.4-1.el7.x86_64 (RHEL 7.0)

Comment 16 Stef Walter 2014-09-09 05:31:41 UTC
David, p11-kit-trust 0.20.5 should fix that issue.

Comment 17 David Jaša 2014-09-09 08:04:58 UTC
Yes, 0.20.5 indeed fixes the issue for me.

Comment 18 Stef Walter 2014-09-09 15:02:56 UTC
To clarify, we've verified that the issue David ran into was not related to this bug, but already fixed elsewhere.

Comment 19 Kai Engert (:kaie) (inactive account) 2014-09-17 16:37:37 UTC
Stef, thanks a lot for your clarifications and your work on this issue.

I confirm that the related Entrust root certificate has been replaced with a newer one that contains the basic constraint extension in upstream
https://bugzilla.mozilla.org/show_bug.cgi?id=856678

It has been contained in RHEL 7 builds since ca-certificates-2013.1.94-70.0.el7 build in september 2013 (one year ago).

I agree that removing the stapled extension is the right thing to do, so all I have to do is to commit and build your patch :-) which I'll do now.

Comment 23 errata-xmlrpc 2015-03-05 10:36:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0472.html