This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 988745 - p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Kai Engert (:kaie)
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1130485
  Show dependency treegraph
 
Reported: 2013-07-26 05:45 EDT by piio
Modified: 2014-09-05 08:29 EDT (History)
9 users (show)

See Also:
Fixed In Version: ca-certificates-2013.1.94-18.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-06 13:13:52 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Update BasicConstraints for Entrust root (1.59 KB, patch)
2013-08-12 06:19 EDT, Stef Walter
no flags Details | Diff
Update BasicConstraints for Entrust root (2.49 KB, patch)
2013-08-12 06:38 EDT, Stef Walter
no flags Details | Diff

  None (edit)
Description piio 2013-07-26 05:45:40 EDT
Description of problem:
After update to p11-kit-0.19.3-1.fc20.i686 I see warnings:
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Stef Walter 2013-07-30 06:23:09 EDT
Indeed. Some of the fields for the p11-kit persistence format have changed, based on discussion on the mailing list. Will adapt the *.p11-kit files in ca-certificates...
Comment 2 Michal Jaegermann 2013-08-11 17:27:50 EDT
AFAICS "the CKA_X_CRITICAL attribute is not valid for the object" errors results from running /usr/bin/update-ca-trust script while installing ca-certificates.  Packages ca-certificates-2013.1.94-16.fc20, with a build date "Fri 02 Aug 2013 10:32:00 PM MDT", and p11-kit-trust-0.19.3-2.fc20 are still affected by the issue. /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit indeed remains untouched.
Comment 3 Stef Walter 2013-08-12 06:19:54 EDT
Created attachment 785635 [details]
Update BasicConstraints for Entrust root

    The PKCS#11 attributes of a stapled extension changed slightly
    during the 0.19.x releases. This was due to specification work on
    the 'Storing Trust Policy' document.
Comment 4 Stef Walter 2013-08-12 06:38:19 EDT
Created attachment 785638 [details]
Update BasicConstraints for Entrust root

    The PKCS#11 attributes of a stapled extension changed slightly
    during the 0.19.x releases. This was due to specification work on
    the 'Storing Trust Policy' document.
Comment 5 Stef Walter 2013-09-04 11:15:37 EDT
Kai, can I push this change and do a build/update to ca-certificates?
Comment 6 Kai Engert (:kaie) 2013-09-04 11:27:06 EDT
Sorry, it wasn't clear to me that you had asked for an update.

It seems like you are requiring changes to the files we ship, because of incompatibilities between p11-kit versions.

Can you please clearly document until which version the old format was being used, and from which version the new format is required?
Comment 7 Kai Engert (:kaie) 2013-09-04 11:34:32 EDT
Comment on attachment 785638 [details]
Update BasicConstraints for Entrust root

If this new file is incompatible with old p11-kit, and works correctly with a newer p11-kit only, we should have a conflicts: rpm statement in the spec file, and a requires: statement for the newer version.
Comment 8 Christopher Meng 2013-09-04 20:28:26 EDT
  Updating   : ca-certificates-2013.1.94-17.fc21.noarch                                                                                               23/358 
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
p11-kit: the CKA_X_CRITICAL attribute is not valid for the object
p11-kit: couldn't load file into objects: /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
Comment 9 Kai Engert (:kaie) 2013-09-06 11:44:23 EDT
Could you please try the ca-certificates package for rawhide/f21 here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5905170

Does it fix the issue for you?
Comment 10 piio 2013-09-06 12:10:27 EDT
It looks like the issue is fixed. Thanks.
Comment 11 Kai Engert (:kaie) 2013-09-06 13:13:52 EDT
Thanks for testing.
I assume the F20 package will still be picked up automatically.
Comment 12 Stef Walter 2013-09-09 09:33:21 EDT
(In reply to Kai Engert (:kaie) from comment #11)
> Thanks for testing.
> I assume the F20 package will still be picked up automatically.

Hmmm, I started to have to do updates recently. But maybe I'm just confused :)
Comment 13 Fedora Update System 2013-09-09 10:52:45 EDT
ca-certificates-2013.1.94-18.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ca-certificates-2013.1.94-18.fc20
Comment 14 Kai Engert (:kaie) 2013-09-09 10:55:23 EDT
(In reply to Stef Walter from comment #12)
> (In reply to Kai Engert (:kaie) from comment #11)
> > Thanks for testing.
> > I assume the F20 package will still be picked up automatically.
> 
> Hmmm, I started to have to do updates recently. But maybe I'm just confused
> :)

Thanks for motivating me to doublecheck.

Since bodhi now lists f20, you are probably right, and submitting an update is indeed necessary already.

ca-certificates-2013.1.94-18.fc20
Comment 15 Fedora Update System 2013-09-22 20:38:24 EDT
ca-certificates-2013.1.94-18.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.