Bug 1491444
Summary: | PKCS#12 files from older NSS releases do not work with current NSS versions | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Nathan Kinder <nkinder> | |
Component: | nss | Assignee: | Daiki Ueno <dueno> | |
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.4 | CC: | dueno, hkario, kengert, szidek, tmraz, tscherf | |
Target Milestone: | rc | Keywords: | Regression, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | nss-3.34.0-0.1.beta1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1493911 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 09:44:43 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1492845, 1493911, 1494631 |
Description
Nathan Kinder
2017-09-13 20:14:27 UTC
The problem is a bit bigger - NSS 3.21.0 will create PKCS#12 files that cannot be processed by OpenSSL-1.1.1-dev in many cases. When key (-c option to pk12util) is encrypted with following mechanisms: RC2-CBC DES-EDE3-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC it is decryptable with OpenSSL When it is encrypted with following mechanisms: DES-ECB DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC AES-128-ECB AES-128-CBC AES-192-ECB AES-192-CBC AES-256-ECB AES-256-CBC CAMELLIA-128-CBC CAMELLIA-192-CBC CAMELLIA-256-CBC SEED-CBC it is not decryptable with OpenSSL. With nss-3.32.0-1.1.fc25, the following are decryptable by OpenSSL: RC2-CBC DES-EDE3-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4 PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC AES-128-CBC AES-192-CBC AES-256-CBC CAMELLIA-256-CBC SEED-CBC While following are not: DES-ECB DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC AES-128-ECB AES-192-ECB AES-256-ECB CAMELLIA-128-CBC CAMELLIA-192-CBC For certificates (-C) encryption both versions create undecryptable files with following ciphers: DES-CBC PKCS #5 Password Based Encryption with MD2 and DES-CBC PKCS #5 Password Based Encryption with MD5 and DES-CBC PKCS #5 Password Based Encryption with SHA-1 and DES-CBC (In reply to Hubert Kario from comment #8) > The problem is a bit bigger - NSS 3.21.0 will create PKCS#12 files that > cannot be processed by OpenSSL-1.1.1-dev in many cases. Unless it is also the case with NSS (i.e. such files created with NSS 3.21 can be read by NSS 3.21, but not with NSS 3.28 any more), could you file a separate bug with a lower priority, please? man page fix postponed to RHEL 7.5: bug 1498182 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0679 |