Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: rhel-10.0
Component/s: p11-kit
Labels:

Regression:
No
Severity:
Low
Epic Link:
CRYPTO-17301
sprint_count:
1

AssignedTeam:
rhel-security-crypto
Sub-System Group:

ssg_security

Story Points:
3
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto25July

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Release Note Not Required
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

I've encountered some strange behaviour with at least one certain certificate: distrusting it leads to the file being renamed when --format=openssl-directory is used.
In terms of `trust` invocations, the reproducer looks like this:

distrusting "Japanese Goverment" gets it renamed to "ApplicationCA"

# This is the first, problematic certificate
C1=pkcs11:id=%54%5A%CB%26%3F%71%CC%94%46%0D%96%53%EA%6B%48%D0%93%FE%42%75;type=cert
  # OU=ApplicationCA,O=Japanese Government,C=JP
  # label: Japanese Government
trust list --filter=$C1

# This is the second, reference certificate
C2=pkcs11:id=%56%A7%AC%AA%02%1D%B2%AC%3D%90%0E%A0%6F%2E%41%C6%76%E7%7B%DA;type=cert
  # CN=ApplicationCA2 Root,OU=GPKI,O=Japanese Government,C=JP
  # label: ApplicationCA2 Root
trust list --filter=$C2

# This is the default output with regards to them
trust extract --format=openssl-directory --filter=certificates default
ls -l --time-style=+- default | grep -E '(Japanese|ApplicationCA)' | tee default.list
# 10e86c82.0 and cd47d6af.0 point to ApplicationCA2_Root.pem: OK
# 57bbd831.0 and fac084d7.0 point to Japanese_Government.pem: OK

# Distrusting the first certificate gets it renamed
trust extract --filter=$C1 --format=x509-file /etc/pki/ca-trust/source/blocklist/JapaneseGovernment.crt
trust extract --format=openssl-directory --filter=certificates block1
ls -l --time-style=+- block1 | grep -E '(Japanese|ApplicationCA)' | tee block1.list
# 10e86c82.0 and cd47d6af.0 point to ApplicationCA2_Root.pem
# 57bbd831.0 and fac084d7.0 point to ApplicationCA.pem  <--- this is unexpected
diff -U0 default.list block1.list && exit 5

Note that this doesn't happen to "ApplicationCA2_Root"

trust extract --filter=$C2 --format=x509-file /etc/pki/ca-trust/source/blocklist/JapaneseGovernment.crt
trust extract --format=openssl-directory --filter=certificates block2
ls -l --time-style=+- block2 | grep -E '(Japanese|ApplicationCA)' | tee block2.list
# 57bbd831.0 and fac084d7.0 point to Japanese_Government.pem: OK
# 10e86c82.0 and cd47d6af.0 point to ApplicationCA2_Root.pem <-- no change
diff -U0 default.list block2.list && exit 9

reproduced with: ca-certificates-2024.2.69_v8.0.303-102.5.el10, p11-kit-0.25.5-7.el10, openssl-3.2.2-16.el10

blocks

RHEL-84108 ca-certificates: directory-hash format is not in "--BEGIN TRUSTED CERT--" format as expected

In Progress

Assignee:: Zoltan Fridrich

Reporter:: Alexander Sosedkin

Developer:: Zoltan Fridrich

QA Contact:: Miluse Bezo Konecna

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/04/03 9:27 AM

Updated:: 2025/07/29 12:33 PM

Resolved:: 2025/07/17 1:51 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide