Bug 1705561 - PKCS#11 URI filtering does not work [rhel-8.9.0]
Summary: PKCS#11 URI filtering does not work [rhel-8.9.0]
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nss
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Alexander Sosedkin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-02 13:36 UTC by Stanislav Zidek
Modified: 2023-08-16 14:20 UTC (History)
5 users (show)

Fixed In Version: nss-3.90.0-3.el8_8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-18 23:03:39 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1681099 0 -- NEW Certificate lookup with PKCS #11 URI doesn't take into account of attributes other than "object" 2021-01-18 22:47:21 UTC

Description Stanislav Zidek 2019-05-02 13:36:06 UTC 
Description of problem:
NSS does not seem to take into account many parts of PKCS#11 URI, e.g. 'id'.

Version-Release number of selected component (if applicable):
nss-3.41.0-5.el8.x86_64
p11-kit-0.23.14-4.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. add two certificates to softhsm token
2. try to list only one of them by specifying id in URI: certutil -d /etc/pki/nssdb/ -L -n 'pkcs11:id=%e9%42%e3%48%6f%0c%5e%c3%46%2b%e4%1a%51%d3%c1%0c%15%57%5d%04;type=cert'

Actual results:
both certificates returned

Expected results:
only one certificate returned

Additional info:
Another part of URI NSS does not care about is 'type', it happily returns certificates even though 'type=private' is specified.
Comment 10 Daiki Ueno 2022-07-28 01:51:02 UTC 
The upstream fix has been merged (thanks for the review, Bob). I'm marking this as POST so it can be picked up in the next rebase.
Note You need to log in before you can comment on or make changes to this bug.