Wrong certificate returned if multiple certs have same label but different ID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libp11 |
Fix Released
|
Unknown
|
|||
libp11 (Ubuntu) |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Jammy |
Confirmed
|
Low
|
Unassigned | ||
Kinetic |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
Right now, when an attempt is made to store two certificates on a smartcard, where the ID of the certs are the same but the labels are not, or the labels are the same but IDs not, the wrong certificate is selected not matching the key. This typically happens when a certificate is renewed, and the smartcard (possibly a software smartcard) contains both the old cert and the new cert. In this case the IDs may be the same.
Fixed upstream here:
https:/
When ID and label are specified, both need to match, not either.
To fix this id-match OR label-match was replaced with id-match AND
label-match.
A tiebreak was added when multiple matching certificates could be
returned. The certificate with the latest expiry wins, and if we
still have a tie we deterministically choose a certificate using
X509_cmp().
If we do not specify a certificate, we return the first certificate
(or first certificate with an ID) as before.
Debug logging updated to show the expiry date used in the decision.
Related branches
- Utkarsh Gupta (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 12642 lines (+4902/-2918)68 files modifiedINSTALL.md (+5/-5)
Makefile.in (+23/-10)
NEWS (+20/-1)
README.md (+9/-5)
aclocal.m4 (+39/-29)
compile (+3/-3)
config.guess (+7/-3)
config.sub (+3/-3)
configure (+961/-197)
configure.ac (+9/-5)
debian/changelog (+12/-0)
debian/tests/control (+7/-0)
debian/tests/engine (+72/-0)
debian/tests/engine-smoke (+37/-0)
depcomp (+1/-1)
doc/Makefile.in (+17/-4)
examples/Makefile.in (+17/-6)
examples/auth.c (+4/-4)
examples/decrypt.c (+5/-5)
install-sh (+92/-69)
ltmain.sh (+325/-443)
m4/ax_pthread.m4 (+522/-0)
m4/libtool.m4 (+77/-77)
m4/ltoptions.m4 (+1/-1)
m4/ltsugar.m4 (+1/-1)
m4/ltversion.m4 (+6/-6)
m4/lt~obsolete.m4 (+1/-1)
make.rules.mak (+1/-1)
missing (+1/-1)
src/Makefile.am (+1/-1)
src/Makefile.in (+18/-7)
src/config.h.in (+10/-3)
src/eng_back.c (+365/-449)
src/eng_err.h (+1/-0)
src/eng_front.c (+4/-0)
src/engine.h (+1/-0)
src/libp11-int.h (+152/-174)
src/libp11.exports (+1/-0)
src/libp11.h (+20/-13)
src/libp11.rc (+4/-4)
src/p11_atfork.c (+58/-128)
src/p11_attr.c (+58/-61)
src/p11_cert.c (+106/-172)
src/p11_ckr.c (+3/-2)
src/p11_ec.c (+137/-101)
src/p11_front.c (+167/-72)
src/p11_key.c (+342/-308)
src/p11_load.c (+7/-10)
src/p11_misc.c (+18/-25)
src/p11_pkey.c (+141/-128)
src/p11_pthread.h (+94/-0)
src/p11_rsa.c (+86/-84)
src/p11_slot.c (+246/-258)
src/pkcs11.h (+20/-0)
src/pkcs11.rc (+4/-4)
test-driver (+6/-4)
tests/Makefile.am (+6/-3)
tests/Makefile.in (+53/-13)
tests/ec-cert-store.softhsm (+47/-0)
tests/ec-check-privkey.softhsm (+2/-2)
tests/evp-sign.c (+1/-1)
tests/fork-change-slot.c (+0/-4)
tests/fork-test.c (+0/-4)
tests/list-tokens.c (+0/-1)
tests/rsa-check-privkey.softhsm (+47/-0)
tests/rsa-no-pubkey.sh (+123/-0)
tests/rsa-oaep.c (+1/-1)
tests/store-cert.c (+274/-0)
Changed in libp11: | |
status: | Unknown → New |
Changed in libp11: | |
status: | New → Fix Released |
tags: | added: server-todo |
Changed in libp11 (Ubuntu Kinetic): | |
status: | Triaged → In Progress |
Thanks for taking the time to report this bug here, Graham.
As you already pointed out, the proper fix should go into the upstream project first.
https:/ /github. com/OpenSC/ libp11/ pull/433 seems to be reviewed and approved. Once it is merged, we should be able to backport the patch as needed.