Bug 1462297

Summary: Import of PKCS#12 files with Camellia encryption is not supported
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Bob Relyea <rrelyea>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 7.4CC: jreznik, ssorce
Target Milestone: rcKeywords: Reopened, Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-26 15:18:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1492845    

Description Alicja Kario 2017-06-16 16:06:28 UTC 
Description of problem:
PKCS#12 files encrypted using camellia-128-cbc, camellia-192-cbc or camellia-256-cbc algorithms are unsupported by pk12util

Version-Release number of selected component (if applicable):
nss-3.28.4-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe camellia-128-cbc -keypbe camellia-128-cbc
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v


Actual results:
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.

Expected results:
Contents of the PKCS#12 file listed

Additional info:
Import of the PKCS#12 file to the NSS database does not work either.
Comment 2 Alicja Kario 2017-09-15 17:18:19 UTC 
When certificates are encrypted with 40 bit RC2 and key is encrypted with camellia-256-cbc, using NSS 3.32, the file is importable:

echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -inkey localhost.key -caname server-cert -passout stdin -keypbe camellia-256-cbc

mkdir nssdb
certutil -N --empty-password -d sql:nssdb
pk12util -i bundle.p12 -d sql:nssdb -W RedHatEnterpriseLinux7.1 -v
PKCS12 IMPORT SUCCESSFUL

camellia-128-cbc and camellia-192-cbc exported by NSS are "obviously" wrong - specify 32 byte key in PBKDF2, so the likely issue is with just the formatting of the file, not PBES2 or PBKDF2
Comment 8 Bob Relyea 2021-06-23 22:29:33 UTC 
Ooops this bug need zstream+ and pm_ack+. Don't know why it didn't automatically get pm_ack with the devel & qa_acks.
Comment 30 errata-xmlrpc 2022-09-26 15:18:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (nss, nss-softokn, nss-util, and nspr bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6712