Bug 2041832
| Summary: | openssl pkcs12 unable to process nss pk12util generated pkcs12 file if its password length is >= 64 chars | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Anton Bobrov <abobrov> |
| Component: | nss | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Ivan Nikolchev <inikolch> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 | CC: | byodlows, dbelyavs, horst.thaller, inikolch, rrelyea, sahana, tmihinto |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nss-3.71.0-7.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 12:47:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: nss), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:2398 |
Description of problem: It is not clear to me whether this is openssl pkcs12 or nss pk12util problem so please feel free to re-assign as appropriate. When exporting with pk12util if one specifies a password password length is >= 64 chars the export succeeds however openssl pkcs12 fails to process resulting pkcs12 file. Version-Release number of selected component (if applicable): How reproducible: This is easy to reproduce even with the latest versions eg on the latest Fedora. Steps to Reproduce: ### USING A 64 BYTES (OR LONGER) p12filePassword ### pk12util -o ./test.p12 -d ./ -k ./pwdfile.txt -n Server-Cert -W 1234567890123456789012345678901234567890123456789012345678901234 # pk12util: PKCS12 EXPORT SUCCESSFUL openssl pkcs12 -in ./test.p12 -out ./test.cert -clcerts -nodes -passin pass:1234567890123456789012345678901234567890123456789012345678901234 # Error outputting keys and certificates # 806B34117F7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:124: # 806B34117F7F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:86:maybe wrong password ### END TEST ### Actual results: Expected results: Additional info: 643 EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_BAD_DECRYPT); (gdb) p/x ctx->final $5 = {0x33, 0x3, 0xc3, 0xb, 0x18, 0x94, 0xe2, 0xd3, 0x32, 0x40, 0x25, 0x64, 0x79, 0x5b, 0x49, 0x53, 0x0 <repeats 16 times>} (gdb) where #0 EVP_DecryptFinal_ex (ctx=0x555555632fc0, out=0x55555563d440 "3\003\303\v\030\224\342\323\062@%dy[IS", outl=0x7fffffffc964) at crypto/evp/evp_enc.c:643 #1 0x00007ffff7d812a5 in PKCS12_pbe_crypt (algor=<optimized out>, pass=pass@entry=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", passlen=-13980, passlen@entry=-1, in=0x555555638da0 "\277T$U\355\211b\037RA\204(\212\061r\240r\200\367\300~\261R\222\023\034u\207\265\376\310\355|\327\003-\t\b\324\066G\375\t\266\376Y\205\233>!e\034n\034bS!\267\332#\251a\325-:ۍ\177\211\332Z\351n\274\342fv\253\262Bf%\027\005\317Ȫ-\257N8>A&d\270\a\030\027\312Y\337E\225\360\356\033\202`\255\067\211\273DB\362#\235v\271\220\\\377/\225\271\350ON\324\032\200f\337\333V\270\332\372\f\372u]N\222\\\205\243\230\065\217\060\217\017\t{\364_\217\\!\374\\+v\263)\331{ik\375u\267\344B\223iG9\230\260i'R\227\326\326\034\267eC\n\231G\373\350b", <incomplete sequence \365>..., inlen=<optimized out>, data=data@entry=0x7fffffffc9d0, datalen=0x7fffffffc9c4, en_de=0) at crypto/pkcs12/p12_decr.c:59 #2 0x00007ffff7d81431 in PKCS12_item_decrypt_d2i (algor=<optimized out>, it=0x7ffff7ee19c0 <PKCS8_PRIV_KEY_INFO_it>, pass=pass@entry=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", passlen=passlen@entry=-1, oct=<optimized out>, zbuf=zbuf@entry=1) at crypto/pkcs12/p12_decr.c:91 #3 0x00007ffff7d82173 in PKCS8_decrypt (p8=<optimized out>, pass=pass@entry=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", passlen=passlen@entry=-1) at crypto/pkcs12/p12_p8d.c:20 #4 0x00007ffff7d826bd in PKCS12_decrypt_skey (bag=bag@entry=0x555555632e30, pass=pass@entry=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", passlen=passlen@entry=-1) at crypto/pkcs12/p12_add.c:144 #5 0x00005555555d6b72 in dump_certs_pkeys_bag.constprop.0 (out=out@entry=0x555555636b00, bag=0x555555632e30, pass=pass@entry=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", options=options@entry=8, pempass=pempass@entry=0x0, enc=enc@entry=0x0, passlen=-1) at apps/pkcs12.c:696 #6 0x00005555555a792b in dump_certs_pkeys_bags (passlen=<optimized out>, enc=<optimized out>, pempass=<optimized out>, options=<optimized out>, pass=<optimized out>, bags=<optimized out>, out=<optimized out>) at apps/pkcs12.c:647 #7 dump_certs_keys_p12 (passlen=-1, enc=0x0, pempass=0x0, options=8, pass=0x555555634ff0 "1234567890123456789012345678901234567890123456789012345678901234", p12=0x555555636b80, out=0x555555636b00) at apps/pkcs12.c:626 #8 pkcs12_main (argc=<optimized out>, argv=<optimized out>) at apps/pkcs12.c:578 #9 0x00005555555a0876 in do_cmd (prog=0x5555556305c0, argc=9, argv=0x7fffffffe200) at apps/openssl.c:570 #10 0x000055555558cdcd in main (argc=9, argv=0x7fffffffe200) at apps/openssl.c:189