Bug 1131461 - gnutls fails to load BER-encoded PKCS #12 files
Summary: gnutls fails to load BER-encoded PKCS #12 files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnutls
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-19 10:52 UTC by Nikos Mavrogiannopoulos
Modified: 2015-04-21 18:42 UTC (History)
4 users (show)

Fixed In Version: gnutls-3.3.14-1.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-18 09:47:02 UTC
Type: Bug


Attachments (Terms of Use)

Description Nikos Mavrogiannopoulos 2014-08-19 10:52:11 UTC
GnuTLS when decoding PKCS #12 uses the DER decoder, so any legal BER-encoded PKCS #12 files cannot be parsed. 

Gnutls should use a BER parser for PKCS #12 files.

Comment 1 Nikos Mavrogiannopoulos 2014-08-19 10:53:55 UTC
Example file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=pkcs12.pfx

Comment 2 Fedora Update System 2014-08-25 07:56:13 UTC
libtasn1-3.8-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/libtasn1-3.8-1.fc20

Comment 3 Fedora Update System 2014-09-02 06:46:51 UTC
libtasn1-3.8-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Nikos Mavrogiannopoulos 2015-03-04 10:37:02 UTC
There is a related issue with indefinite encoded OCTET STRINGs.

Comment 5 Fedora Update System 2015-03-30 12:23:55 UTC
gnutls-3.3.14-1.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc22

Comment 6 Fedora Update System 2015-03-30 12:24:21 UTC
gnutls-3.3.14-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc21

Comment 7 Fedora Update System 2015-03-31 21:43:21 UTC
Package gnutls-3.3.14-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.14-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5108/gnutls-3.3.14-1.fc21
then log in and leave karma (feedback).

Comment 8 Scott Poore 2015-04-06 16:20:30 UTC
Nikos,

I'm trying to check this and leave karma but, I'm not sure I know how to test this.

How can I test with the example pfx file from comment #1?

This is what I was trying as a quick test:

certtool --infile=pkcs12.pfx --p12-info --inder

But, that seems to work with version gnutls-3.3.13-1.fc22.x86_64:

# certtool --infile=pkcs12.pfx --p12-info --inder
Enter password: 
BAG #0
	Type: Encrypted

	Decrypting...
	Elements: 1
	Type: Certificate
	Friendly name: My Certificate
	Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A
-----BEGIN CERTIFICATE-----
...truncated for brevity...
-----END CERTIFICATE-----

BAG #1
	Elements: 1
	Type: PKCS #8 Encrypted key
	Friendly name: My Certificate
	Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A
-----BEGIN ENCRYPTED PRIVATE KEY-----
...truncated for brevity...
-----END ENCRYPTED PRIVATE KEY-----

Is there somewhere else this would fail if it's not fixed?  Is there a way I could check that with danetool?

Thanks,
Scott

Comment 9 Nikos Mavrogiannopoulos 2015-04-06 20:36:15 UTC
Unfortunately it is not easy to test as I received few encrypted PKCS #12 files which I cannot include in this bug report and they are not easy to regenerate either (they are not generated from either openssl or gnutls). If you have PKCS #12 files generated out of gnutls or openssl please try them (and if they can be distributed let me know). Otherwise simply check whether it works for your files.

Comment 10 Scott Poore 2015-04-07 12:51:00 UTC
Ok.  Thanks for the help.  Karma given.

Comment 11 Nikos Mavrogiannopoulos 2015-04-07 14:01:10 UTC
(In reply to Scott Poore from comment #10)
> Ok.  Thanks for the help.  Karma given.

Thanks. Could you also give karma to libtasn1 since it is a dependency of this package?

https://admin.fedoraproject.org/updates/FEDORA-2015-5199/libtasn1-4.4-1.fc22?_csrf_token=9de63f67e81ed7f0f69414499917ad6dc7b79349

Comment 12 Scott Poore 2015-04-07 16:20:26 UTC
Sure.  Should be done now.

Comment 13 Fedora Update System 2015-04-18 09:47:02 UTC
gnutls-3.3.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2015-04-21 18:42:29 UTC
gnutls-3.3.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.