Bug 1220573 (rhel7-nss-aes-key-support)

Summary: NSS can't handle PKCS#12 files with keys or certificates encrypted using strong PKCS#5 v2.0 ciphers or ones that use SHA-2 MAC
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: low    
Version: 7.1CC: dueno, hkario, kdudka, kengert, nkinder, nmavrogi, rrelyea, szidek, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.28.4-8.el7 Doc Type: Bug Fix
Doc Text:
_nss_ now properly handles PKCS#12 files Previously, when using the "pk12util" tool to list certificates in a PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, there was no output. Additionally, when using "pk12util" to list certificates in a PKCS#12 file with the SHA-2 Message Authentication Code (MAC), a MAC error was reported, but no certificates were printed. With this update, importing and exporting PKCS#12 files has been changed to be compatible with the *OpenSSL* handling, and PKCS#12 files are now processed properly in the described scenarios.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:47:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 839624, 1335929, 1492845    
Attachments:
Description Flags
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC
none
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC none

Description Alicja Kario 2015-05-11 23:06:42 UTC 
Created attachment 1024374 [details]
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC

Description of problem:
When using `pk12util` to list certificates inside the PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, no certificates are outputted and no error is printed.

When using `pk12util` to list certificates inside the PKCS#12 file with SHA-2 MAC, MAC error is reported and no certificates are printed.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-42.el7.x86_64
nss-3.16.2.3-5.el7.x86_64

(also tested on rhel-6 with nss-3.18.0-5.3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe aes-128-cbc
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
No output

Expected results:
Certificate printed

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe PBE-SHA1-3DES -macalg sha1
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 3
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 

Expected results:
Certificate printed

Additional info:
Specifying `-certpbe PBE-SHA1-3DES -macalg sha1` creates a file readable for NSS.
Comment 1 Alicja Kario 2015-05-11 23:07:46 UTC 
Created attachment 1024375 [details]
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC
Comment 2 Alicja Kario 2015-05-12 10:17:46 UTC 
Slight mistake in the second steps to reproduce, the option should be '-macalg sha256' but is '-macalg sha1'
Comment 3 Alicja Kario 2015-05-12 15:01:16 UTC 
Slight addition, and I'd say most severe of the issues mentioned: pk12util can't decrypt private key if it is encrypted with AES ciphers.

Steps to reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. openssl pkcs12 -in localhost.crt -inkey localhost.key -export -out bundle.p12 -passout pass: -name "server" -caname "server" -certpbe NONE -keypbe AES-256-CBC -macalg SHA1
3. mkdir nssdb
4. certutil -N --empty-password -d sql:./nssdb
5. pk12util -i bundle.p12 -d sql:./nssdb -W ''

Actual results:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
pk12util: PKCS12 IMPORT SUCCESSFUL

Additional info:
Specifying `-certpbe DES-EDE3-CBC` does create a PKCS#12 file which can be loaded, so I'm guessing it's the AES support that's missing, not PKCS#5 v2.0 support in general.
Comment 4 Alicja Kario 2015-05-13 11:17:55 UTC 
I have also tested in FIPS mode using:
nss-3.18.0-2.2.el7_1.x86_64
nss-3.18.0-2.2.el7_1.i686
nspr-4.10.8-1.el7_1.x86_64
nspr-4.10.8-1.el7_1.i686
nss-util-3.18.0-1.el7_1.x86_64
nss-util-3.18.0-1.el7_1.i686
nss-softokn-3.16.2.3-9.el7.x86_64
nss-softokn-3.16.2.3-9.el7.i686

with a password protected file (with password "RedHatEnterpriseLinux7.1"). The reported error is exactly the same as in Comment 3.
Comment 7 Kai Engert (:kaie) (inactive account) 2016-04-25 20:37:09 UTC 
If this is a feature enhancement request, it should be reported upstream.

Please provide justification why this enhancement is required.
Comment 8 Alicja Kario 2016-04-26 17:49:24 UTC 
Bob in private communication said that this feature was supported in the past which would indicate that it's a regression.

This enhancement is required for resilience against future quantum computers and to meet FIPS requirements for private key storage past year 2030[1].

 1 - see NIST SP 800-57 part 1 revision 4, section 5.6.2
Comment 9 Kai Engert (:kaie) (inactive account) 2016-04-27 12:45:38 UTC 
Can you please file the upstream regression bug?
Comment 10 Kai Engert (:kaie) (inactive account) 2016-09-28 16:22:02 UTC 
(In reply to Kai Engert (:kaie) from comment #9)
> Can you please file the upstream regression bug?

Hubert, is this something you could do please, assign it to Bob, and add a link in here?

Since we're moving towards stronger technology in the future, TriagedHigh seems to be appropriate.
Comment 11 Alicja Kario 2016-09-29 11:11:23 UTC 
There are already two bugs filed upstream for that (see External Trackers):
https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I don't have permissions to change the assignee of the upstream bugs.

So please correct me if I missed something, but it looks like there's nothing for me to do.
Comment 12 Kai Engert (:kaie) (inactive account) 2016-09-29 11:45:02 UTC 
(In reply to Hubert Kario from comment #11)
> There are already two bugs filed upstream for that (see External Trackers):
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

Thanks, I had missed the links.
Comment 13 Alicja Kario 2016-10-12 15:36:37 UTC 
possibly some other files we can use for inspiration to generate PKCS#12 files:
http://git.infradead.org/users/dwmw2/openconnect.git/tree/HEAD:/tests/certs

one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256, instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0 defaults to the former for PKCS#12 export.
Comment 16 Alicja Kario 2017-02-16 14:10:28 UTC 
one more thing, PBKDF2 can also be used with SHA-512-224 and SHA-512-256, the PKCS#12 file HMAC possibly too...
Comment 17 Alicja Kario 2017-03-22 18:53:57 UTC 
PBES2 with PBKDF2 and des-ede3-cbc cipher is not supported for certBag

ECDSA keys without encryption are not supported

files without MAC are not supported
Comment 18 Alicja Kario 2017-03-23 16:07:58 UTC 
(In reply to Hubert Kario from comment #13)
> one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256,
> instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0
> defaults to the former for PKCS#12 export.

I have tested it now and it doesn't work either (be it SHA224, SHA256, SHA384, SHA512 or MD5)
Comment 19 Alicja Kario 2017-03-29 12:58:32 UTC 
when trying to import
ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12 
I'm getting 

pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

Also can't import rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12

there the error is:
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.

even when just listing the file (pk12util -l)

Import of
rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12
also fails

So I can't even test if the SHA-2 PRF for PBKDF2 is working...
Comment 20 Alicja Kario 2017-03-29 12:59:34 UTC 
the above was tested using
nss-3.28.3-5.el7.x86_64
nss-util-3.28.3-3.el7.x86_64
nspr-4.13.1-1.0.el7.x86_64
nss-pem-1.0.3-2.el7.x86_64
nss-softokn-3.28.3-4.el7.x86_64
Comment 21 Daiki Ueno 2017-04-04 11:13:06 UTC 
(In reply to Hubert Kario from comment #19)
> when trying to import
> ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),
> prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12 
> I'm getting 
> 
> pk12util: PKCS12 decode import bags failed:
> SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting
> to import private key.
> 
> with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

This is because BMPString encoded passwords are given to non-PKCS#12 PBEs, sigh.  That should have been tested as well in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I have submitted a follow up fix for this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1353325

> Also can't import
> rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),
> prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12
> 
> there the error is:
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> 
> even when just listing the file (pk12util -l)
> 
> Import of
> rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> iter(2048)),pass(ascii).p12
> also fails

DES-EDE3-CBC is explicitly disabled in:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#26
Comment 22 Alicja Kario 2017-04-05 10:21:21 UTC 
(In reply to Daiki Ueno from comment #21)
> (In reply to Hubert Kario from comment #19)
> > Import of
> > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > iter(2048)),pass(ascii).p12
> > also fails
> 
> DES-EDE3-CBC is explicitly disabled in:
> https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> p12plcy.c#26

none of the ciphers in that array are "allowed"...
Comment 23 Daiki Ueno 2017-04-05 15:27:30 UTC 
(In reply to Hubert Kario from comment #22)
> (In reply to Daiki Ueno from comment #21)
> > (In reply to Hubert Kario from comment #19)
> > > Import of
> > > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > > iter(2048)),pass(ascii).p12
> > > also fails
> > 
> > DES-EDE3-CBC is explicitly disabled in:
> > https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> > p12plcy.c#26
> 
> none of the ciphers in that array are "allowed"...

Sorry, you are right.  The cipher is rejected because of key length mismatch, checked at:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#52
Comment 35 Alicja Kario 2017-06-16 16:25:46 UTC 
Issues with handling of files encrypted using Camellia ciphers are tracked in bug 1462297.
Comment 36 Alicja Kario 2017-06-16 16:33:35 UTC 
Issue with handling non-encrypted ECDSA PKCS#12 files are tracked in bug 1462302.
Comment 37 Alicja Kario 2017-06-16 17:07:48 UTC 
Issues with handling files with scrypt key derivation function are tracked in bug 1462303.
Comment 38 errata-xmlrpc 2017-08-01 16:47:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977