Bug 1250020

Summary: gnutls_x509_privkey_import can no longer import some private keys
Product: [Fedora] Fedora Reporter: Daniel BerrangĂ© <berrange>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 23CC: nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 3.4.4-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-01 03:37:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Demo program none

Description Daniel Berrangé 2015-08-04 11:16:07 UTC 
Description of problem:
The gnutls_x509_privkey_import method is no longer able to load private keys with a starting signature of:


    -----BEGIN PRIVATE KEY-----

It can only load keys which mention an explicit algorithm

The gnutls_x509_privkey_import2 method succeeds, which is why certtool --infile blah -k does not show any problem

The problem appears to have been caused by this commit in 3.4.3:

commit 0debaca946b74c66e67ed1a86c671ec3573b779a
Author: Nikos Mavrogiannopoulos <nmav>
Date:   Thu Jun 25 15:08:54 2015 +0200

    gnutls_x509_privkey_import: optimized private key loading

Originlly the result would get set to GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR

But now it gets set to GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;

As a result, when the code jumsp to the 'failover' label it no longer triggers the PKCS#8 fallback path

      failover:
        /* Try PKCS #8 */
        if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) {
                _gnutls_debug_log
                    ("Falling back to PKCS #8 key decoding\n");
                result =
                    gnutls_x509_privkey_import_pkcs8(key, data, format,
                                                     NULL,
                                                     GNUTLS_PKCS_PLAIN);
        }

This regression is breaking the libvirt test suite which uses the import method.


Version-Release number of selected component (if applicable):
3.4.3

How reproducible:
Always

Steps to Reproduce:
1. Save attached demo to priv.c
2.gcc `pkg-config --cflags --libs gnutls`  -o priv priv.c
3. ./priv

Actual results:
Failed to import key The requested data were not available.
Aborted (core dumped)


Expected results:
Loads the private key

Additional info:
Comment 1 Daniel Berrangé 2015-08-04 11:16:48 UTC 
Created attachment 1059045 [details]
Demo program
Comment 2 Nikos Mavrogiannopoulos 2015-08-04 12:01:56 UTC 
Thanks. I've committed a fix upstream.

https://gitlab.com/gnutls/gnutls/commit/3573c516a1cf1adc0df3b4caaeec64f55753016d
Comment 3 Fedora Update System 2015-08-10 08:58:39 UTC 
gnutls-3.4.4-1.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/gnutls-3.4.4-1.fc23
Comment 4 Fedora Update System 2015-08-12 20:10:48 UTC 
Package gnutls-3.4.4-1.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.4.4-1.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13287/gnutls-3.4.4-1.fc23
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2015-09-01 03:37:12 UTC 
gnutls-3.4.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.