Bug 988745
| Summary: | p11-kit: the CKA_X_CRITICAL attribute is not valid for the object | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | piio <bugzilla> | ||||||
| Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | rawhide | CC: | i, john_antony40, jorton, kengert, mclasen, michal, pwouters, stefw, tmraz | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | ca-certificates-2013.1.94-18.fc20 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-09-06 17:13:52 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1130485 | ||||||||
| Attachments: |
|
||||||||
|
Description
piio
2013-07-26 09:45:40 UTC
Indeed. Some of the fields for the p11-kit persistence format have changed, based on discussion on the mailing list. Will adapt the *.p11-kit files in ca-certificates... AFAICS "the CKA_X_CRITICAL attribute is not valid for the object" errors results from running /usr/bin/update-ca-trust script while installing ca-certificates. Packages ca-certificates-2013.1.94-16.fc20, with a build date "Fri 02 Aug 2013 10:32:00 PM MDT", and p11-kit-trust-0.19.3-2.fc20 are still affected by the issue. /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit indeed remains untouched. Created attachment 785635 [details]
Update BasicConstraints for Entrust root
The PKCS#11 attributes of a stapled extension changed slightly
during the 0.19.x releases. This was due to specification work on
the 'Storing Trust Policy' document.
Created attachment 785638 [details]
Update BasicConstraints for Entrust root
The PKCS#11 attributes of a stapled extension changed slightly
during the 0.19.x releases. This was due to specification work on
the 'Storing Trust Policy' document.
Kai, can I push this change and do a build/update to ca-certificates? Sorry, it wasn't clear to me that you had asked for an update. It seems like you are requiring changes to the files we ship, because of incompatibilities between p11-kit versions. Can you please clearly document until which version the old format was being used, and from which version the new format is required? Comment on attachment 785638 [details]
Update BasicConstraints for Entrust root
If this new file is incompatible with old p11-kit, and works correctly with a newer p11-kit only, we should have a conflicts: rpm statement in the spec file, and a requires: statement for the newer version.
Updating : ca-certificates-2013.1.94-17.fc21.noarch 23/358 p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit p11-kit: the CKA_X_CRITICAL attribute is not valid for the object p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit Could you please try the ca-certificates package for rawhide/f21 here: http://koji.fedoraproject.org/koji/taskinfo?taskID=5905170 Does it fix the issue for you? It looks like the issue is fixed. Thanks. Thanks for testing. I assume the F20 package will still be picked up automatically. (In reply to Kai Engert (:kaie) from comment #11) > Thanks for testing. > I assume the F20 package will still be picked up automatically. Hmmm, I started to have to do updates recently. But maybe I'm just confused :) ca-certificates-2013.1.94-18.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2013.1.94-18.fc20 (In reply to Stef Walter from comment #12) > (In reply to Kai Engert (:kaie) from comment #11) > > Thanks for testing. > > I assume the F20 package will still be picked up automatically. > > Hmmm, I started to have to do updates recently. But maybe I'm just confused > :) Thanks for motivating me to doublecheck. Since bodhi now lists f20, you are probably right, and submitting an update is indeed necessary already. ca-certificates-2013.1.94-18.fc20 ca-certificates-2013.1.94-18.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |