Bug 1131461

Summary: gnutls fails to load BER-encoded PKCS #12 files
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dwmw2, nmavrogi, spoore, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.14-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-18 09:47:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikos Mavrogiannopoulos 2014-08-19 10:52:11 UTC 
GnuTLS when decoding PKCS #12 uses the DER decoder, so any legal BER-encoded PKCS #12 files cannot be parsed. 

Gnutls should use a BER parser for PKCS #12 files.
Comment 1 Nikos Mavrogiannopoulos 2014-08-19 10:53:55 UTC 
Example file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=pkcs12.pfx
Comment 2 Fedora Update System 2014-08-25 07:56:13 UTC 
libtasn1-3.8-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libtasn1-3.8-1.fc20
Comment 3 Fedora Update System 2014-09-02 06:46:51 UTC 
libtasn1-3.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Nikos Mavrogiannopoulos 2015-03-04 10:37:02 UTC 
There is a related issue with indefinite encoded OCTET STRINGs.
Comment 5 Fedora Update System 2015-03-30 12:23:55 UTC 
gnutls-3.3.14-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc22
Comment 6 Fedora Update System 2015-03-30 12:24:21 UTC 
gnutls-3.3.14-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc21
Comment 7 Fedora Update System 2015-03-31 21:43:21 UTC 
Package gnutls-3.3.14-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.14-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5108/gnutls-3.3.14-1.fc21
then log in and leave karma (feedback).
Comment 8 Scott Poore 2015-04-06 16:20:30 UTC 
Nikos,

I'm trying to check this and leave karma but, I'm not sure I know how to test this.

How can I test with the example pfx file from comment #1?

This is what I was trying as a quick test:

certtool --infile=pkcs12.pfx --p12-info --inder

But, that seems to work with version gnutls-3.3.13-1.fc22.x86_64:

# certtool --infile=pkcs12.pfx --p12-info --inder
Enter password: 
BAG #0
	Type: Encrypted

	Decrypting...
	Elements: 1
	Type: Certificate
	Friendly name: My Certificate
	Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A
-----BEGIN CERTIFICATE-----
...truncated for brevity...
-----END CERTIFICATE-----

BAG #1
	Elements: 1
	Type: PKCS #8 Encrypted key
	Friendly name: My Certificate
	Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A
-----BEGIN ENCRYPTED PRIVATE KEY-----
...truncated for brevity...
-----END ENCRYPTED PRIVATE KEY-----

Is there somewhere else this would fail if it's not fixed?  Is there a way I could check that with danetool?

Thanks,
Scott
Comment 9 Nikos Mavrogiannopoulos 2015-04-06 20:36:15 UTC 
Unfortunately it is not easy to test as I received few encrypted PKCS #12 files which I cannot include in this bug report and they are not easy to regenerate either (they are not generated from either openssl or gnutls). If you have PKCS #12 files generated out of gnutls or openssl please try them (and if they can be distributed let me know). Otherwise simply check whether it works for your files.
Comment 10 Scott Poore 2015-04-07 12:51:00 UTC 
Ok.  Thanks for the help.  Karma given.
Comment 11 Nikos Mavrogiannopoulos 2015-04-07 14:01:10 UTC 
(In reply to Scott Poore from comment #10)
> Ok.  Thanks for the help.  Karma given.

Thanks. Could you also give karma to libtasn1 since it is a dependency of this package?

https://admin.fedoraproject.org/updates/FEDORA-2015-5199/libtasn1-4.4-1.fc22?_csrf_token=9de63f67e81ed7f0f69414499917ad6dc7b79349
Comment 12 Scott Poore 2015-04-07 16:20:26 UTC 
Sure.  Should be done now.
Comment 13 Fedora Update System 2015-04-18 09:47:02 UTC 
gnutls-3.3.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2015-04-21 18:42:29 UTC 
gnutls-3.3.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.