Bug 1130485
Summary: | warning "CKA_X_CRITICAL attribute is not valid for the object" when using the p11-kit-trust module | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | ||||||
Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.1 | CC: | amarecek, djasa, kengert, ksrot, pvrabec, stefw | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | ca-certificates-2014.1.98-72.el7 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-03-05 10:36:42 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 988745 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Nikos Mavrogiannopoulos
2014-08-15 11:18:46 UTC
Yes, with a rebase to 0.20.x we'll probably need to update from the one .p11-kit file from the interim format that was used in F19 and RHEL 6/7 This is related to #988745, which was the same issue on Fedora. Created attachment 934767 [details] Commit to ca-certificates that fixes the issue This commit brings over the fix from Fedora. Scratch build here: https://brewweb.devel.redhat.com/taskinfo?taskID=7923453 Hmmm, I'm not sure this stapled extension is necessary any more. The Entrust Root seems to have BasicConstraints. Certificate: Data: Version: 3 (0x2) Serial Number: 1164660820 (0x456b5054) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Validity Not Before: Nov 27 20:23:42 2006 GMT Not After : Nov 27 20:53:42 2026 GMT Subject: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated b y reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:95:b6:43:42:fa:c6:6d:2a:6f:48:df:94:4c: 39:57:05:ee:c3:79:11:41:68:36:ed:ec:fe:9a:01: 8f:a1:38:28:fc:f7:10:46:66:2e:4d:1e:1a:b1:1a: 4e:c6:d1:c0:95:88:b0:c9:ff:31:8b:33:03:db:b7: 83:7b:3e:20:84:5e:ed:b2:56:28:a7:f8:e0:b9:40: 71:37:c5:cb:47:0e:97:2a:68:c0:22:95:62:15:db: 47:d9:f5:d0:2b:ff:82:4b:c9:ad:3e:de:4c:db:90: 80:50:3f:09:8a:84:00:ec:30:0a:3d:18:cd:fb:fd: 2a:59:9a:23:95:17:2c:45:9e:1f:6e:43:79:6d:0c: 5c:98:fe:48:a7:c5:23:47:5c:5e:fd:6e:e7:1e:b4: f6:68:45:d1:86:83:5b:a2:8a:8d:b1:e3:29:80:fe: 25:71:88:ad:be:bc:8f:ac:52:96:4b:aa:51:8d:e4: 13:31:19:e8:4e:4d:9f:db:ac:b3:6a:d5:bc:39:54: 71:ca:7a:7a:7f:90:dd:7d:1d:80:d9:81:bb:59:26: c2:11:fe:e6:93:e2:f7:80:e4:65:fb:34:37:0e:29: 80:70:4d:af:38:86:2e:9e:7f:57:af:9e:17:ae:eb: 1c:cb:28:21:5f:b6:1c:d8:e7:a2:04:22:f9:d3:da: d8:cb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Private Key Usage Period: Not Before: Nov 27 20:23:42 2006 GMT, Not After: Nov 27 20:53:42 2026 GMT X509v3 Authority Key Identifier: keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D X509v3 Subject Key Identifier: 68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D 1.2.840.113533.7.65.0: 0...V7.1:4.0.... Signature Algorithm: sha1WithRSAEncryption 93:d4:30:b0:d7:03:20:2a:d0:f9:63:e8:91:0c:05:20:a9:5f: 19:ca:7b:72:4e:d4:b1:db:d0:96:fb:54:5a:19:2c:0c:08:f7: b2:bc:85:a8:9d:7f:6d:3b:52:b3:2a:db:e7:d4:84:8c:63:f6: 0f:cb:26:01:91:50:6c:f4:5f:14:e2:93:74:c0:13:9e:30:3a: 50:e3:b4:60:c5:1c:f0:22:44:8d:71:47:ac:c8:1a:c9:e9:9b: 9a:00:60:13:ff:70:7e:5f:11:4d:49:1b:b3:15:52:7b:c9:54: da:bf:9d:95:af:6b:9a:d8:9e:e9:f1:e4:43:8d:e2:11:44:3a: bf:af:bd:83:42:73:52:8b:aa:bb:a7:29:cf:f5:64:1c:0a:4d: d1:bc:aa:ac:9f:2a:d0:ff:7f:7f:da:7d:ea:b1:ed:30:25:c1: 84:da:34:d2:5b:78:83:56:ec:9c:36:c3:26:e2:11:f6:67:49: 1d:92:ab:8c:fb:eb:ff:7a:ee:85:4a:a7:50:80:f0:a7:5c:4a: 94:2e:5f:05:99:3c:52:41:e0:cd:b4:63:cf:01:43:ba:9c:83: dc:8f:60:3b:f3:5a:b4:b4:7b:ae:da:0b:90:38:75:ef:81:1d: 66:d2:f7:57:70:36:b3:bf:fc:28:af:71:25:85:5b:13:fe:1e: 7f:5a:b4:3c Trusted Uses: TLS Web Server Authentication No Rejected Uses. Alias: Entrust Root Certification Authority No, this here is the right certificate, as evidenced by the subject key identifier in the patch: %55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70 As you can see it already has BasicConstraints. So our additional stapled certificate extension is not necessary. Will attach a patch that removes it. Certificate: Data: Version: 3 (0x2) Serial Number: 946069240 (0x3863def8) Signature Algorithm: sha1WithRSAEncryption Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) Validity Not Before: Dec 24 17:50:51 1999 GMT Not After : Jul 24 14:15:12 2029 GMT Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ad:4d:4b:a9:12:86:b2:ea:a3:20:07:15:16:64: 2a:2b:4b:d1:bf:0b:4a:4d:8e:ed:80:76:a5:67:b7: 78:40:c0:73:42:c8:68:c0:db:53:2b:dd:5e:b8:76: 98:35:93:8b:1a:9d:7c:13:3a:0e:1f:5b:b7:1e:cf: e5:24:14:1e:b1:81:a9:8d:7d:b8:cc:6b:4b:03:f1: 02:0c:dc:ab:a5:40:24:00:7f:74:94:a1:9d:08:29: b3:88:0b:f5:87:77:9d:55:cd:e4:c3:7e:d7:6a:64: ab:85:14:86:95:5b:97:32:50:6f:3d:c8:ba:66:0c: e3:fc:bd:b8:49:c1:76:89:49:19:fd:c0:a8:bd:89: a3:67:2f:c6:9f:bc:71:19:60:b8:2d:e9:2c:c9:90: 76:66:7b:94:e2:af:78:d6:65:53:5d:3c:d6:9c:b2: cf:29:03:f9:2f:a4:50:b2:d4:48:ce:05:32:55:8a: fd:b2:64:4c:0e:e4:98:07:75:db:7f:df:b9:08:55: 60:85:30:29:f9:7b:48:a4:69:86:e3:35:3f:1e:86: 5d:7a:7a:15:bd:ef:00:8e:15:22:54:17:00:90:26: 93:bc:0e:49:68:91:bf:f8:47:d3:9d:95:42:c1:0e: 4d:df:6f:26:cf:c3:18:21:62:66:43:70:d6:d5:c0: 07:e1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70 Signature Algorithm: sha1WithRSAEncryption 3b:9b:8f:56:9b:30:e7:53:99:7c:7a:79:a7:4d:97:d7:19:95: 90:fb:06:1f:ca:33:7c:46:63:8f:96:66:24:fa:40:1b:21:27: ca:e6:72:73:f2:4f:fe:31:99:fd:c8:0c:4c:68:53:c6:80:82: 13:98:fa:b6:ad:da:5d:3d:f1:ce:6e:f6:15:11:94:82:0c:ee: 3f:95:af:11:ab:0f:d7:2f:de:1f:03:8f:57:2c:1e:c9:bb:9a: 1a:44:95:eb:18:4f:a6:1f:cd:7d:57:10:2f:9b:04:09:5a:84: b5:6e:d8:1d:3a:e1:d6:9e:d1:6c:79:5e:79:1c:14:c5:e3:d0: 4c:93:3b:65:3c:ed:df:3d:be:a6:e5:95:1a:c3:b5:19:c3:bd: 5e:5b:bb:ff:23:ef:68:19:cb:12:93:27:5c:03:2d:6f:30:d0: 1e:b6:1a:ac:de:5a:f7:d1:aa:a8:27:a6:fe:79:81:c4:79:99: 33:57:ba:12:b0:a9:e0:42:6c:93:ca:56:de:fe:6d:84:0b:08: 8b:7e:8d:ea:d7:98:21:c6:f3:e7:3c:79:2f:5e:9c:d1:4c:15: 8d:e1:ec:22:37:cc:9a:43:0b:97:dc:80:90:8d:b3:67:9b:6f: 48:08:15:56:cf:bf:f1:2b:7c:5e:9a:76:e9:59:90:c5:7c:83: 35:11:65:51 Trusted Uses: Code Signing, E-mail Protection, TLS Web Server Authentication No Rejected Uses. Alias: Entrust.net Premium 2048 Secure Server CA -----BEGIN CERTIFICATE----- MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5 IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3 MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3 LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/ HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH 4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+ bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er fF6adulZkMV8gzURZVE= -----END CERTIFICATE----- How to verify this fix. The following should have identical output in RHEL 7.0 and RHEL 7.1: $ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test $ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test # Entrust.net Premium 2048 Secure Server CA Created attachment 934818 [details]
Commit which removes Entrust stapled certificate extension
Scratch build with new fix that removes Entrust stapled certificate extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967 (In reply to Stef Walter from comment #8) > How to verify this fix. The following should have identical output in RHEL > 7.0 and RHEL 7.1: > > $ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment > --purpose=server-auth --overwrite /tmp/test > $ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test > # Entrust.net Premium 2048 Secure Server CA (In reply to Stef Walter from comment #10) > Scratch build with new fix that removes Entrust stapled certificate > extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967 Works for me: bash-4.2$ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension p11-kit: invalid basic constraints certificate extension bash-4.2$ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test # Entrust.net Premium 2048 Secure Server CA bash-4.2$ Thanks for trying it out. I see the 'invalid basic constraints certificate extension' errors there. Could you attach (or email me, if it's sensitive) the output of the following: $ tar -czvf ~/ca-trust-source.tgz /etc/pki/ca-trust/source /usr/share/pki/ca-trust-source Created attachment 935274 [details]
ca trust source
(In reply to Stef Walter from comment #12) > Thanks for trying it out. > > I see the 'invalid basic constraints certificate extension' errors there. Hmmm, I can't duplicate this. What version of p11-kit-trust do you have installed? (In reply to Stef Walter from comment #14) > (In reply to Stef Walter from comment #12) > > Thanks for trying it out. > > > > I see the 'invalid basic constraints certificate extension' errors there. > > Hmmm, I can't duplicate this. What version of p11-kit-trust do you have > installed? p11-kit-trust-0.20.4-1.el7.x86_64 (RHEL 7.0) David, p11-kit-trust 0.20.5 should fix that issue. Yes, 0.20.5 indeed fixes the issue for me. To clarify, we've verified that the issue David ran into was not related to this bug, but already fixed elsewhere. Stef, thanks a lot for your clarifications and your work on this issue. I confirm that the related Entrust root certificate has been replaced with a newer one that contains the basic constraint extension in upstream https://bugzilla.mozilla.org/show_bug.cgi?id=856678 It has been contained in RHEL 7 builds since ca-certificates-2013.1.94-70.0.el7 build in september 2013 (one year ago). I agree that removing the stapled extension is the right thing to do, so all I have to do is to commit and build your patch :-) which I'll do now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0472.html |