Bug 1142305

Summary: there is no API to distinguish certificates with a purpose in the trust module
Product: Red Hat Enterprise Linux 7 Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: p11-kitAssignee: Stef Walter <stefw>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: amarecek, ksrot, nmavrogi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: p11-kit-0.20.7-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 07:55:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1110750    

Description Nikos Mavrogiannopoulos 2014-09-16 14:31:51 UTC 
[This is a copy of #1136817]

In #1134602, a verisign CA certificate was removed from the trusted TLS list, but was present in the trusted email list. That however, resulted in gnutls still seeing the certificate when verifying using the p11-kit trust module.

While that API exists in p11-kit, it is not exposed to applications. What is needed is the availability of an API that implements the external trust policy (stapled extensions) as in:
http://p11-glue.freedesktop.org/doc/storing-trust-policy/storing-trust-pkcs11.html (or something equivalent)
Comment 6 Stef Walter 2014-09-17 14:33:24 UTC 
This API #defines have been exposed for testing in p11-kit-0.21.3 in (f21, rawhide, or upstream tarball). 

https://admin.fedoraproject.org/updates/p11-kit-0.21.3-1.fc21

It will be backported to the 0.20.x branch once smoke testing is complete. Nikos, when done, could you confirm?
Comment 7 Nikos Mavrogiannopoulos 2014-09-17 15:03:20 UTC 
I confirm.
Comment 8 Stef Walter 2014-09-18 08:11:43 UTC 
p11-kit 0.20.7 released to upstream stable branch with this API exposed. Fedora 20 package is available for cross-checking: https://admin.fedoraproject.org/updates/p11-kit-0.20.7-1.fc20
Comment 12 errata-xmlrpc 2015-03-05 07:55:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0339.html