Bug 1462302

Summary: Import of PKCS#12 files with ECDSA keys without encryption fails
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED CURRENTRELEASE QA Contact: Alicja Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 7.4CC: dueno
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-11 15:41:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1492845    

Description Alicja Kario 2017-06-16 16:32:44 UTC 
Description of problem:
When a PKCS#12 file does not use encryption for key nor certificate for ECDSA, the import fails.

Version-Release number of selected component (if applicable):
nss-3.28.4-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. pk12util -i 'keyfile-corpus-keyfiles-0.1.2/ecdsa(P-256,sha256),cert(none),key(none),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' -d sql:nssdb -w keyfile-corpus-keyfiles-0.1.2/password-ascii.txt


Actual results:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
file imported

Additional info:
Looks like the issue is only with the key part of the PKCS#12 file, not the certificate not being encrypted.
Comment 3 Simo Sorce 2019-02-11 15:41:45 UTC 
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Comment 4 Daiki Ueno 2019-02-28 09:47:04 UTC 
I am not able to reproduce it with the latest packages on RHEL-7.6:
$ pk12util -i 'keyfile-corpus/ecdsa(P-256,sha256),cert(none),key(none),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' -d sql:nssdb -w keyfile-corpus/password-ascii.txt
pk12util: PKCS12 IMPORT SUCCESSFUL

Given that this was reported against 3.28 while 3.30 has a fix handling ECDSA private keys, I suppose this was already fixed in the previous rebase of NSS to 3.36:
https://bugzilla.mozilla.org/show_bug.cgi?id=1295121