p11-kit: couldn't remove object: The object is missing or invalid

[tresf]

I have a scenario where trust anchor --remove successfully removes an object, but:

• Places several errors on the console
• Returns a non-zero exit code despite being successful

Steps to reproduce:

• Fedora 34
• mycert.crt.zip

sudo trust anchor --store mycert.crt
sudo trust anchor --remove "pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC"

Output:

p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: couldn't remove object: The object is missing or invalid
p11-kit: 9 errors while processing

echo $?

Output:

1

Even stranger, if I repeat the command a second time, the following happens:

• No errors are displayed
• Exit code changes to 0

If I provide an exact match for the URI, the command works as expected. The exact match is:

- sudo trust anchor --remove "pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC"
+ sudo trust anchor --remove "pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC;type=cert"

A similar, but different result occurs when listing with a filter:

sudo trust list --filter "pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC"

Output:

pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC;type=cert
    type: certificate
    label: localhost
    trust: anchor
    category: authority

p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object
p11-kit: skipping non-certificate object

... which is also remedied by appending ;type=cert to the filter string.

[ueno]

With trust dump you will see what the other objects are:

trust dump --filter="pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC"
...
# pkcs11:id=%F2%FC%C1%0C%9D%1D%58%17%2D%CD%92%DC%8D%2D%09%5E%4F%29%F1%AC
[p11-kit-object-v1]
class: x-trust-assertion
private: false
label: "localhost"
id: "%F2%FC%C1%0C%9D%1DX%17-%CD%92%DC%8D-%09%5EO%29%F1%AC"
modifiable: false
...

These are internal objects and cannot be removed alone. To remove them you would need specify the certificate object. Appending ;type=cert is one way and you can also supply the file where the original certificate is stored:

sudo trust anchor --remove mycert.crt

[tresf]

Ok, so if ;type=cert" is always part of the ID, that makes sense.

To remove them you would need specify the certificate object.

Thanks, I did notice that, however, in my case, I'm doing some pattern matching to remove certs that I know I've installed by parsing an extract file.

trust extract --format=pem-bundle certs.txt

... and then reading them in with BouncyCastle to get the SubjectKeyIdentifier to construct a URI. At first glance, I assumed ;type=cert portion of the URI was optional.

Arguably, I could split up the bundle into individual files and feed those matching back in to trust anchor --remove, but I wanted to create as few temporary files as possible.

For now, I'll make sure to always append the ;type=cert portion, thank for confirmation/clarification.