What were you trying to do that didn't work?

When trying to add to the trust anchors certificate with two CNs, p11-kit labels it with first CN rather than the last (most specific one)

What is the impact of this issue to you?

Incorrect labelling can lead to certificate mis-identification

Please provide the package NVR for which the bug is seen:

p11-kit-0.25.3-3.el9_5.x86_64

How reproducible is this bug?:

always

Steps to reproduce

Create a certificate with mutiple CNs:

openssl genpkey -algorithm RSA -out my-ca.key -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -nodes -key my-ca.key -sha256 -days 3650 -subj "/C=CZ/ST=Prague/L=Prague/O=My Awesome CA/OU=Certificate Services/CN=pki/CN=My Awesome CA Root" -out my-ca.pem

Add it to trust anchors:

cp my-ca.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust

List to see the labels:

trust list
...
pkcs11:id=%B4%4B%D6%96%C5%C9%D0%B6%1B%36%CB%68%47%0B%8A%CD%85%01%1F%D3;type=cert
   type: certificate
   label: pki          << here's incorrect label
   trust: anchor
   category: authority

 

Expected results

Label is 'My Awesome CA Root'

Actual results

Label is 'pki'