Bug 100074

Summary: Name Constraint support
Product: p11-glue Reporter: Daniel Black <danielgb>
Component: p11-kitAssignee: Daiki Ueno <ueno>
Status: NEW --- QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Daniel Black 2017-03-06 02:51:15 UTC 
Following the instructions here I've removed the IBM internal root from the etc/pki/ca-trust/source/anchors directory and created on here /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit

Instructions: http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html

The following block was added in the file before the ----BEGIN CERTIFICATE

class: x-certificate-extension
label: "ibm.com CA restriction"
object-id: 2.5.29.30
value: "%30%16%06%03%55%1d%1e%04%0f%30%0d%a0%0b%30%09%82%07%69%62%6d%2e%63%6f%6d"

The value was obtained from origin  https://github.com/nmav/nconstraints
./nconstraints ibm.com
%30%16%06%03%55%1d%1e%04%0f%30%0d%a0%0b%30%09%82%07%69%62%6d%2e%63%6f%6d


The following was false but was changed to true:
modifiable: true

Running the following shows the errors.

# update-ca-trust
p11-kit: the CKA_TRUSTED attribute is not valid for the object
p11-kit: couldn't load file into objects: /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit
p11-kit: the CKA_TRUSTED attribute is not valid for the object
p11-kit: couldn't load file into objects: /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit
p11-kit: the CKA_TRUSTED attribute is not valid for the object
p11-kit: couldn't load file into objects: /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit
p11-kit: the CKA_TRUSTED attribute is not valid for the object
p11-kit: couldn't load file into objects: /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit
p11-kit: the CKA_TRUSTED attribute is not valid for the object
p11-kit: couldn't load file into objects: /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit

Commenting out the added block resulted in update-ca-trust completeing without error.

This is using the /usr/bin/trust /usr/bin/p11-kit compiled from source at release 0.23.5

This was in a fc24 base distro.
Comment 1 Daiki Ueno 2017-05-25 14:16:19 UTC 
(In reply to Daniel Black from comment #0)
> Following the instructions here I've removed the IBM internal root from the
> etc/pki/ca-trust/source/anchors directory and created on here
> /etc/pki/ca-trust/source/IBM_Internal_Root_CA.p11-kit
> 
> Instructions:
> http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html
> 
> The following block was added in the file before the ----BEGIN CERTIFICATE
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This doesn't sound correct to me.  The extension object should be added in as a separate section to the certificate itself.  If you add it to the same file as the certificate the entire file should look like:

[p11-kit-object-v1]
trusted: true
x-distrusted: false
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

[p11-kit-object-v1]
class: x-certificate-extension
label: "ibm.com CA restriction"
object-id: 2.5.29.30
value: "%30%16%06%03%55%1d%1e%04%0f%30%0d%a0%0b%30%09%82%07%69%62%6d%2e%63%6f%6d"
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----

> The following was false but was changed to true:
> modifiable: true

This is bug 99797.  The next release will allow you to set the attribute to false, by adjusting the file header:
https://github.com/p11-glue/p11-kit/pull/70

> Running the following shows the errors.
> 
> # update-ca-trust
> p11-kit: the CKA_TRUSTED attribute is not valid for the object

I suspect this is caused by the malformed "x-certificate-extension" section in the .p11-kit file.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.