Bug 2048557
| Summary: | gnutls certtool pkcs12 export doesn't let selecting a PRF | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Alexander Sosedkin <asosedki> |
| Component: | gnutls | Assignee: | Daiki Ueno <dueno> |
| Status: | NEW --- | QA Contact: | Alexander Sosedkin <asosedki> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 | CC: | zfridric |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: certtool --to-p12 always uses hmacWithSHA256 Version-Release number of selected component (if applicable): gnutls-3.7.3-1.el9 How reproducible: always Steps to Reproduce: 1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch 2. certtool --to-p12 --outder --p12-name localhost --load-certificate localhost.crt --load-privkey localhost.key --outfile p12 --password pass --hash SHA512 3. openssl pkcs12 -in p12 -info -nodes -noout -passin pass:pass Actual results: MAC: sha512, Iteration 600000 MAC length: 64, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-128-CBC, Iteration 600000, PRF hmacWithSHA256 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 600000, PRF hmacWithSHA256 Expected results: MAC: sha512, Iteration 600000 MAC length: 64, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-128-CBC, Iteration 600000, PRF hmacWithSHA512 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 600000, PRF hmacWithSHA512 Additional info: * maybe the control doesn't have to be --hash * int gnutls_pkcs12_bag_encrypt(gnutls_pkcs12_bag_t bag, const char * pass, unsigned int /*gnutls_pkcs_encrypt_flags_t*/ flags) doesn't have a readily available avenue to pass a choice of a PRF, so this might entail quite some work * code reference: https://gitlab.com/gnutls/gnutls/-/blob/c87f5aa5fd5a807a4444e428063db3f8635d378d/lib/x509/pkcs7-crypt.c#L1579 * related change: bz1764199 * wishlist-grade, as this should be workaroundable