Public bug reported: Right now, when an attempt is made to store two certificates on a smartcard, where the ID of the certs are the same but the labels are not, or the labels are the same but IDs not, the wrong certificate is selected not matching the key. This typically happens when a certificate is renewed, and the smartcard (possibly a software smartcard) contains both the old cert and the new cert. In this case the IDs may be the same.
Fixed upstream here: https://github.com/OpenSC/libp11/pull/433 When ID and label are specified, both need to match, not either. To fix this id-match OR label-match was replaced with id-match AND label-match. A tiebreak was added when multiple matching certificates could be returned. The certificate with the latest expiry wins, and if we still have a tie we deterministically choose a certificate using X509_cmp(). If we do not specify a certificate, we return the first certificate (or first certificate with an ID) as before. Debug logging updated to show the expiry date used in the decision. ** Affects: libp11 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1964141 Title: Wrong certificate returned if multiple certs have same label but different ID To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libp11/+bug/1964141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs