Bug 1705561

Summary: PKCS#11 URI filtering does not work [rhel-8.9.0]
Product: Red Hat Enterprise Linux 8 Reporter: Stanislav Zidek <szidek>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: VERIFIED --- QA Contact: Alexander Sosedkin <asosedki>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: asosedki, dueno, hkario, rrelyea, ssorce
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss-3.90.0-3.el8_8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-18 23:03:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stanislav Zidek 2019-05-02 13:36:06 UTC 
Description of problem:
NSS does not seem to take into account many parts of PKCS#11 URI, e.g. 'id'.

Version-Release number of selected component (if applicable):
nss-3.41.0-5.el8.x86_64
p11-kit-0.23.14-4.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. add two certificates to softhsm token
2. try to list only one of them by specifying id in URI: certutil -d /etc/pki/nssdb/ -L -n 'pkcs11:id=%e9%42%e3%48%6f%0c%5e%c3%46%2b%e4%1a%51%d3%c1%0c%15%57%5d%04;type=cert'

Actual results:
both certificates returned

Expected results:
only one certificate returned

Additional info:
Another part of URI NSS does not care about is 'type', it happily returns certificates even though 'type=private' is specified.
Comment 10 Daiki Ueno 2022-07-28 01:51:02 UTC 
The upstream fix has been merged (thanks for the review, Bob). I'm marking this as POST so it can be picked up in the next rebase.