Bug#914199: p11-kit: Does not tolerate extra comments in /etc/ssl/certs/ca-certificates.crt

Sam Morris sam at robots.org.uk
Tue Nov 20 14:33:51 GMT 2018 

Package: p11-kit
Version: 0.23.3-2
Severity: important

    $ grep BEGIN /etc/ssl/certs/ca-certificates.crt  | wc -l
    154

    $ trust list; echo $0
    0

That's from p11-kit 0.23.14-2. If I use the version from stable there is at
least a clue that something is amiss:

    # trust list; echo $?
    p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
    p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
    0

It turns out that, in-between the PEM-encoded certificates in
ca-certificates.crt, I have some lines:

    ...
    -----END CERTIFICATE-----
    # This file was created by IPA. Do not edit.

    [p11-kit-object-v1]
    class: certificate
    certificate-type: x-509
    certificate-category: authority
    label: "CN%3Dipa-CA%2CDC%3Dipa%2CDC%3Dexample%2CDC%3Dcom"
    subject: "..."
    issuer: "..."
    serial-number: "..."
    x-public-key-info: "..."
    trusted: true
    -----BEGIN CERTIFICATE-----
    ...

These are in turn taken from the file that ipa-client-install dropped into
/usr/local/share/ca-certificates/ipa-ca.crt.

IMO p11-kit should treat these extra lines as comments since other tools
(openssl, gnutls) are perfectly happy to ignore them.

It would also be nice if it printed some more useful output to help users
debug issues such as these, and not exit with status 0 if problems are
detected. :)

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (570, 'testing-debug'), (570, 'testing'), (540, 'unstable-debug'), (540, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages p11-kit depends on:
ii  libc6            2.27-8
ii  libp11-kit0      0.23.14-2
ii  libtasn1-6       4.13-3
ii  p11-kit-modules  0.23.14-2

p11-kit recommends no packages.

p11-kit suggests no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list