I spent a few hours testing bug 989013, bug was constantly puzzled by behaviour. Related background information can be found in that bug 989013 comment 11. I *sometimes* was able to reproduce the following, but then again, I couldn't. - use a fully updated f19 system (which includes p11-kit 0.18.5) - however, use the older ca-certificates package ca-certificates-2012.87-10.2.fc19.noarch which contains the older Entrust 2048 root (the one lacking basic constraints) and which requires the stapled attributes found in /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit to be accepted by p11-kit-trust as a valid cert. During one period of time, evolution + firefox listed the certificate as absent, indicating that stapling isn't working. (I'm worried this unreliable stapling might also cause the distrust stapling to not be effective.) But then, after experimenting a lot, suddenly evolution + firefox showed the certificate. And even after I edited the ca-bundle.supplement.p11-kit file and removed the stapling section for the entrust root, the entrust 2048 root was still shown and listed as trusted. I fully agree what I saw doesn't make sense, and I wish I could present more consistent test results, but right now I can't. Bug 989013 is evidence that we do have an incorrect behaviour. People should have never seen the old Entrust root as untrusted, because we always shipped those stapling bits, and the newer ca-certificates (which was shipped just a few days ago) doesn't need the stapling bits. I had a hard time reproducing bug 989013 in the beginning, then I suddenly was able to reproduce. While trying to upgrade/downgrade packages and reset configurations, even restoring earlier non-reproducing configurations, I still saw the bug. And then suddenly I couldn't reproduce the bug any more, regardless of installed versions and configuration.
Sounds bad. Investigating. (In reply to Kai Engert (:kaie) from comment #0) > (I'm worried this unreliable stapling might also cause the distrust stapling > to not be effective.) For what it's worth, we don't use stapling to do distrust in Fedora 19 ca-certificates. So there's likely less cause for worry.
Created attachment 797260 [details] Test case for bug where stapled extensions don't apply Seems to happen if loaded after certificate.
Can reproduce. This is a race condition. The attached patch makes the tests fail. The problem is where the certificate is loaded before the stapled certificate extension. We have code to account for loading both ways, however it seems to be broken.
Test case failure, when above patch is applied. .......F....................... There was 1 failure: 1) test_build_certificate_staple_ca_backwards: test-builder.c:470: attribute does not match: expected { CKA_CERTIFICATE_CATEGORY = 2 (authority) } but found { CKA_CERTIFICATE_CATEGORY = 3 (other-entry) } !!!FAILURES!!! Runs: 31 Passes: 30 Fails: 1 FAIL: test-builder
Patch upstream.
Scratch build with the upstream patch. http://koji.fedoraproject.org/koji/taskinfo?taskID=5930658
Kai, have you had a chance to test this patch?
p11-kit-0.18.7-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/p11-kit-0.18.7-1.fc19
(In reply to Stef Walter from comment #7) > Kai, have you had a chance to test this patch? No, given how painful it was to test this issue, and how intermittent it was, I'd prefer if you could come up with a good testing strategy.
Understood ... We have an upstream test case for this. So I've pushed this an an update to fix the issue. As you noted, it should be rare to run into this, given it's intermitancy and the fact that we now have a better Entrust Root CA cert.
Package p11-kit-0.18.7-1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing p11-kit-0.18.7-1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-19259/p11-kit-0.18.7-1.fc19 then log in and leave karma (feedback).
p11-kit-0.18.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.