Bug 1384107
| Summary: | PKCS#12 export illogically fails with some PBE algorithms [rhel-6] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Stanislav Zidek <szidek> | |
| Component: | nss | Assignee: | Daiki Ueno <dueno> | |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.8 | CC: | hkario, kdudka, kengert, mkolaja, mthacker, sdordevi | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | nss-3.36.0-4.el6 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1384147 (view as bug list) | Environment: | ||
| Last Closed: | 2018-06-19 05:10:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1485481 | |||
| Bug Blocks: | 1020868, 1384147 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:1865 |
Description of problem: While doing export with pk12util with algorithm specification for key/overall encryption (-c/-C), some algorithms fail for some types (key/overall) of encryption. Version-Release number of selected component (if applicable): nss-tools-3.21.0-8.el6 How reproducible: always Steps to Reproduce: cat >ciphers <<_EOF RC2-CBC RC5-CBCPad DES-EDE3-CBC AES-128-CBC AES-192-CBC AES-256-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC PKCS #12 PBE with Sha1 and 128 Bit RC4 PKCS #12 PBE with Sha1 and 40 Bit RC4 PKCS #12 PBE with Sha1 and Triple DES CBC PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC PKCS12 V2 PBE with SHA1 and 128 Bit RC4 PKCS12 V2 PBE with SHA1 and 40 Bit RC4 PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC PKCS #5 Password Based Encryption with MD2 and DES CBC PKCS #5 Password Based Encryption with MD5 and DES CBC PKCS #5 Password Based Encryption with SHA1 and DES CBC _EOF echo ".V3rysecu43pass" >pwfile mkdir nssdb certutil -N -f pwfile -d sql:nssdb/ printf "123456789012345678901234567890123456789012345678901234567890\n0\n5\n6\n9\ny\ny\n-1\ny\n5\n6\n7\n9\ny\n" |certutil -S -n ca -s 'CN=Test CA, O=Test Org, L=Test Loc, ST=Test State, C=TS' -t 'C,C,C' -x -w -3 -v 99 -1 -2 -5 -f pwfile -d sql:nssdb/ echo -n >good echo -n >good-key echo -n >good-overall i=0 while read x; do echo "$i: cipher: '$x'" echo "Key encryption:" pk12util -o x${i}.p12 -n ca -w pwfile -k pwfile -d sql:nssdb/ -c "$x" res1=$? echo echo "RESULT: $res1" [[ $res1 = 0 ]] && echo "$x" >>good-key echo "Overall encryption:" pk12util -o x${i}.p12 -n ca -w pwfile -k pwfile -d sql:nssdb/ -C "$x" res2=$? echo echo "RESULT: $res2" [[ $res2 = 0 ]] && echo "$x" >>good-overall if [[ $res1 = 0 && $res2 = 0 ]]; then echo "$x" >>good fi echo "---------------------------" i=$((i+1)) done <ciphers cat good cat good-key cat good-overall Actual results: # cat good RC2-CBC DES-EDE3-CBC # cat good-key RC2-CBC DES-EDE3-CBC AES-128-CBC AES-192-CBC AES-256-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC # cat good-overall RC2-CBC DES-EDE3-CBC PKCS #12 PBE with Sha1 and 128 Bit RC4 PKCS #12 PBE with Sha1 and 40 Bit RC4 PKCS #12 PBE with Sha1 and Triple DES CBC PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC PKCS12 V2 PBE with SHA1 and 128 Bit RC4 PKCS12 V2 PBE with SHA1 and 40 Bit RC4 PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC PKCS #5 Password Based Encryption with MD2 and DES CBC PKCS #5 Password Based Encryption with MD5 and DES CBC PKCS #5 Password Based Encryption with SHA1 and DES CBC Expected results: Everything supported.