1130485 – warning "CKA_X_CRITICAL attribute is not valid for the object" when using the p11-kit-trust module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1130485 - warning "CKA_X_CRITICAL attribute is not valid for the object" when using the p11-kit-trust module

Summary: warning "CKA_X_CRITICAL attribute is not valid for the object" when using the...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ca-certificates
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:	988745
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-15 11:18 UTC by Nikos Mavrogiannopoulos
Modified:	2015-03-05 10:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ca-certificates-2014.1.98-72.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:36:42 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Commit to ca-certificates that fixes the issue (3.01 KB, patch) 2014-09-05 12:38 UTC, Stef Walter	no flags	Details \| Diff
Commit which removes Entrust stapled certificate extension (1.76 KB, patch) 2014-09-05 14:24 UTC, Stef Walter	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:0472	0	normal	SHIPPED_LIVE	ca-certificates bug fix and enhancement update	2015-03-05 15:16:01 UTC

Description Nikos Mavrogiannopoulos 2014-08-15 11:18:46 UTC

I've updated gnutls to use the p11-kit trust module and tested it in RHEL-7.0. Running the following command shows:
$ gnutls-cli www.amazon.com
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

So it seems there is some issue either in ca-certificates in RHEL-7.0 or p11-kit trust module in RHEL-7.1.

Comment 2 Stef Walter 2014-08-15 11:58:22 UTC

Yes, with a rebase to 0.20.x we'll probably need to update from the one .p11-kit file from the interim format that was used in F19 and RHEL 6/7

Comment 3 Stef Walter 2014-09-05 12:29:09 UTC

This is related to #988745, which was the same issue on Fedora.

Comment 4 Stef Walter 2014-09-05 12:38:37 UTC

Created attachment 934767 [details]
Commit to ca-certificates that fixes the issue

This commit brings over the fix from Fedora. 

Scratch build here: https://brewweb.devel.redhat.com/taskinfo?taskID=7923453

Comment 6 Stef Walter 2014-09-05 13:16:27 UTC

Hmmm, I'm not sure this stapled extension is necessary any more. The Entrust Root seems to have BasicConstraints.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1164660820 (0x456b5054)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by
 reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
        Validity
            Not Before: Nov 27 20:23:42 2006 GMT
            Not After : Nov 27 20:53:42 2026 GMT
        Subject: C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated b
y reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:95:b6:43:42:fa:c6:6d:2a:6f:48:df:94:4c:
                    39:57:05:ee:c3:79:11:41:68:36:ed:ec:fe:9a:01:
                    8f:a1:38:28:fc:f7:10:46:66:2e:4d:1e:1a:b1:1a:
                    4e:c6:d1:c0:95:88:b0:c9:ff:31:8b:33:03:db:b7:
                    83:7b:3e:20:84:5e:ed:b2:56:28:a7:f8:e0:b9:40:
                    71:37:c5:cb:47:0e:97:2a:68:c0:22:95:62:15:db:
                    47:d9:f5:d0:2b:ff:82:4b:c9:ad:3e:de:4c:db:90:
                    80:50:3f:09:8a:84:00:ec:30:0a:3d:18:cd:fb:fd:
                    2a:59:9a:23:95:17:2c:45:9e:1f:6e:43:79:6d:0c:
                    5c:98:fe:48:a7:c5:23:47:5c:5e:fd:6e:e7:1e:b4:
                    f6:68:45:d1:86:83:5b:a2:8a:8d:b1:e3:29:80:fe:
                    25:71:88:ad:be:bc:8f:ac:52:96:4b:aa:51:8d:e4:
                    13:31:19:e8:4e:4d:9f:db:ac:b3:6a:d5:bc:39:54:
                    71:ca:7a:7a:7f:90:dd:7d:1d:80:d9:81:bb:59:26:
                    c2:11:fe:e6:93:e2:f7:80:e4:65:fb:34:37:0e:29:
                    80:70:4d:af:38:86:2e:9e:7f:57:af:9e:17:ae:eb:
                    1c:cb:28:21:5f:b6:1c:d8:e7:a2:04:22:f9:d3:da:
                    d8:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Private Key Usage Period: 
                Not Before: Nov 27 20:23:42 2006 GMT, Not After: Nov 27 20:53:42 2026 GMT
            X509v3 Authority Key Identifier: 
                keyid:68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D

            X509v3 Subject Key Identifier: 
                68:90:E4:67:A4:A6:53:80:C7:86:66:A4:F1:F7:4B:43:FB:84:BD:6D
            1.2.840.113533.7.65.0: 
                0...V7.1:4.0....
    Signature Algorithm: sha1WithRSAEncryption
         93:d4:30:b0:d7:03:20:2a:d0:f9:63:e8:91:0c:05:20:a9:5f:
         19:ca:7b:72:4e:d4:b1:db:d0:96:fb:54:5a:19:2c:0c:08:f7:
         b2:bc:85:a8:9d:7f:6d:3b:52:b3:2a:db:e7:d4:84:8c:63:f6:
         0f:cb:26:01:91:50:6c:f4:5f:14:e2:93:74:c0:13:9e:30:3a:
         50:e3:b4:60:c5:1c:f0:22:44:8d:71:47:ac:c8:1a:c9:e9:9b:
         9a:00:60:13:ff:70:7e:5f:11:4d:49:1b:b3:15:52:7b:c9:54:
         da:bf:9d:95:af:6b:9a:d8:9e:e9:f1:e4:43:8d:e2:11:44:3a:
         bf:af:bd:83:42:73:52:8b:aa:bb:a7:29:cf:f5:64:1c:0a:4d:
         d1:bc:aa:ac:9f:2a:d0:ff:7f:7f:da:7d:ea:b1:ed:30:25:c1:
         84:da:34:d2:5b:78:83:56:ec:9c:36:c3:26:e2:11:f6:67:49:
         1d:92:ab:8c:fb:eb:ff:7a:ee:85:4a:a7:50:80:f0:a7:5c:4a:
         94:2e:5f:05:99:3c:52:41:e0:cd:b4:63:cf:01:43:ba:9c:83:
         dc:8f:60:3b:f3:5a:b4:b4:7b:ae:da:0b:90:38:75:ef:81:1d:
         66:d2:f7:57:70:36:b3:bf:fc:28:af:71:25:85:5b:13:fe:1e:
         7f:5a:b4:3c
Trusted Uses:
  TLS Web Server Authentication
No Rejected Uses.
Alias: Entrust Root Certification Authority

Comment 7 Stef Walter 2014-09-05 14:17:14 UTC

No, this here is the right certificate, as evidenced by the subject key identifier in the patch:  %55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70

As you can see it already has BasicConstraints. So our additional stapled certificate extension is not necessary. Will attach a patch that removes it.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 946069240 (0x3863def8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Validity
            Not Before: Dec 24 17:50:51 1999 GMT
            Not After : Jul 24 14:15:12 2029 GMT
        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:4d:4b:a9:12:86:b2:ea:a3:20:07:15:16:64:
                    2a:2b:4b:d1:bf:0b:4a:4d:8e:ed:80:76:a5:67:b7:
                    78:40:c0:73:42:c8:68:c0:db:53:2b:dd:5e:b8:76:
                    98:35:93:8b:1a:9d:7c:13:3a:0e:1f:5b:b7:1e:cf:
                    e5:24:14:1e:b1:81:a9:8d:7d:b8:cc:6b:4b:03:f1:
                    02:0c:dc:ab:a5:40:24:00:7f:74:94:a1:9d:08:29:
                    b3:88:0b:f5:87:77:9d:55:cd:e4:c3:7e:d7:6a:64:
                    ab:85:14:86:95:5b:97:32:50:6f:3d:c8:ba:66:0c:
                    e3:fc:bd:b8:49:c1:76:89:49:19:fd:c0:a8:bd:89:
                    a3:67:2f:c6:9f:bc:71:19:60:b8:2d:e9:2c:c9:90:
                    76:66:7b:94:e2:af:78:d6:65:53:5d:3c:d6:9c:b2:
                    cf:29:03:f9:2f:a4:50:b2:d4:48:ce:05:32:55:8a:
                    fd:b2:64:4c:0e:e4:98:07:75:db:7f:df:b9:08:55:
                    60:85:30:29:f9:7b:48:a4:69:86:e3:35:3f:1e:86:
                    5d:7a:7a:15:bd:ef:00:8e:15:22:54:17:00:90:26:
                    93:bc:0e:49:68:91:bf:f8:47:d3:9d:95:42:c1:0e:
                    4d:df:6f:26:cf:c3:18:21:62:66:43:70:d6:d5:c0:
                    07:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
    Signature Algorithm: sha1WithRSAEncryption
         3b:9b:8f:56:9b:30:e7:53:99:7c:7a:79:a7:4d:97:d7:19:95:
         90:fb:06:1f:ca:33:7c:46:63:8f:96:66:24:fa:40:1b:21:27:
         ca:e6:72:73:f2:4f:fe:31:99:fd:c8:0c:4c:68:53:c6:80:82:
         13:98:fa:b6:ad:da:5d:3d:f1:ce:6e:f6:15:11:94:82:0c:ee:
         3f:95:af:11:ab:0f:d7:2f:de:1f:03:8f:57:2c:1e:c9:bb:9a:
         1a:44:95:eb:18:4f:a6:1f:cd:7d:57:10:2f:9b:04:09:5a:84:
         b5:6e:d8:1d:3a:e1:d6:9e:d1:6c:79:5e:79:1c:14:c5:e3:d0:
         4c:93:3b:65:3c:ed:df:3d:be:a6:e5:95:1a:c3:b5:19:c3:bd:
         5e:5b:bb:ff:23:ef:68:19:cb:12:93:27:5c:03:2d:6f:30:d0:
         1e:b6:1a:ac:de:5a:f7:d1:aa:a8:27:a6:fe:79:81:c4:79:99:
         33:57:ba:12:b0:a9:e0:42:6c:93:ca:56:de:fe:6d:84:0b:08:
         8b:7e:8d:ea:d7:98:21:c6:f3:e7:3c:79:2f:5e:9c:d1:4c:15:
         8d:e1:ec:22:37:cc:9a:43:0b:97:dc:80:90:8d:b3:67:9b:6f:
         48:08:15:56:cf:bf:f1:2b:7c:5e:9a:76:e9:59:90:c5:7c:83:
         35:11:65:51
Trusted Uses:
  Code Signing, E-mail Protection, TLS Web Server Authentication
No Rejected Uses.
Alias: Entrust.net Premium 2048 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----

Comment 8 Stef Walter 2014-09-05 14:22:51 UTC

How to verify this fix. The following should have identical output in RHEL 7.0 and RHEL 7.1:

$ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test
$ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
# Entrust.net Premium 2048 Secure Server CA

Comment 9 Stef Walter 2014-09-05 14:24:27 UTC

Created attachment 934818 [details]
Commit which removes Entrust stapled certificate extension

Comment 10 Stef Walter 2014-09-05 14:30:34 UTC

Scratch build with new fix that removes Entrust stapled certificate extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967

Comment 11 David Jaša 2014-09-08 08:10:22 UTC

(In reply to Stef Walter from comment #8)
> How to verify this fix. The following should have identical output in RHEL
> 7.0 and RHEL 7.1:
> 
> $ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment
> --purpose=server-auth --overwrite /tmp/test
> $ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
> # Entrust.net Premium 2048 Secure Server CA

(In reply to Stef Walter from comment #10)
> Scratch build with new fix that removes Entrust stapled certificate
> extension: https://brewweb.devel.redhat.com/taskinfo?taskID=7923967

Works for me:

bash-4.2$ p11-kit extract --filter=ca-anchors --format=pem-bundle --comment --purpose=server-auth --overwrite /tmp/test
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
p11-kit: invalid basic constraints certificate extension
bash-4.2$ grep 'Entrust.net Premium 2048 Secure Server CA' /tmp/test
# Entrust.net Premium 2048 Secure Server CA
bash-4.2$

Comment 12 Stef Walter 2014-09-08 08:12:25 UTC

Thanks for trying it out.

I see the 'invalid basic constraints certificate extension' errors there. Could you attach (or email me, if it's sensitive) the output of the following:

$ tar -czvf ~/ca-trust-source.tgz /etc/pki/ca-trust/source /usr/share/pki/ca-trust-source

Comment 13 David Jaša 2014-09-08 08:37:08 UTC

Created attachment 935274 [details]
ca trust source

Comment 14 Stef Walter 2014-09-08 20:32:45 UTC

(In reply to Stef Walter from comment #12)
> Thanks for trying it out.
> 
> I see the 'invalid basic constraints certificate extension' errors there.

Hmmm, I can't duplicate this. What version of p11-kit-trust do you have installed?

Comment 15 David Jaša 2014-09-08 21:57:13 UTC

(In reply to Stef Walter from comment #14)
> (In reply to Stef Walter from comment #12)
> > Thanks for trying it out.
> > 
> > I see the 'invalid basic constraints certificate extension' errors there.
> 
> Hmmm, I can't duplicate this. What version of p11-kit-trust do you have
> installed?

p11-kit-trust-0.20.4-1.el7.x86_64 (RHEL 7.0)

Comment 16 Stef Walter 2014-09-09 05:31:41 UTC

David, p11-kit-trust 0.20.5 should fix that issue.

Comment 17 David Jaša 2014-09-09 08:04:58 UTC

Yes, 0.20.5 indeed fixes the issue for me.

Comment 18 Stef Walter 2014-09-09 15:02:56 UTC

To clarify, we've verified that the issue David ran into was not related to this bug, but already fixed elsewhere.

Comment 19 Kai Engert (:kaie) (inactive account) 2014-09-17 16:37:37 UTC

Stef, thanks a lot for your clarifications and your work on this issue.

I confirm that the related Entrust root certificate has been replaced with a newer one that contains the basic constraint extension in upstream
https://bugzilla.mozilla.org/show_bug.cgi?id=856678

It has been contained in RHEL 7 builds since ca-certificates-2013.1.94-70.0.el7 build in september 2013 (one year ago).

I agree that removing the stapled extension is the right thing to do, so all I have to do is to commit and build your patch :-) which I'll do now.

Comment 23 errata-xmlrpc 2015-03-05 10:36:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0472.html

Note You need to log in before you can comment on or make changes to this bug.