GnuTLS when decoding PKCS #12 uses the DER decoder, so any legal BER-encoded PKCS #12 files cannot be parsed. Gnutls should use a BER parser for PKCS #12 files.
Example file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=pkcs12.pfx
libtasn1-3.8-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/libtasn1-3.8-1.fc20
libtasn1-3.8-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
There is a related issue with indefinite encoded OCTET STRINGs.
gnutls-3.3.14-1.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc22
gnutls-3.3.14-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/gnutls-3.3.14-1.fc21
Package gnutls-3.3.14-1.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.3.14-1.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-5108/gnutls-3.3.14-1.fc21 then log in and leave karma (feedback).
Nikos, I'm trying to check this and leave karma but, I'm not sure I know how to test this. How can I test with the example pfx file from comment #1? This is what I was trying as a quick test: certtool --infile=pkcs12.pfx --p12-info --inder But, that seems to work with version gnutls-3.3.13-1.fc22.x86_64: # certtool --infile=pkcs12.pfx --p12-info --inder Enter password: BAG #0 Type: Encrypted Decrypting... Elements: 1 Type: Certificate Friendly name: My Certificate Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A -----BEGIN CERTIFICATE----- ...truncated for brevity... -----END CERTIFICATE----- BAG #1 Elements: 1 Type: PKCS #8 Encrypted key Friendly name: My Certificate Key ID: 1C:9C:00:37:0B:4A:07:06:9C:FA:24:CF:32:4B:1F:F0:AE:BA:0E:9A -----BEGIN ENCRYPTED PRIVATE KEY----- ...truncated for brevity... -----END ENCRYPTED PRIVATE KEY----- Is there somewhere else this would fail if it's not fixed? Is there a way I could check that with danetool? Thanks, Scott
Unfortunately it is not easy to test as I received few encrypted PKCS #12 files which I cannot include in this bug report and they are not easy to regenerate either (they are not generated from either openssl or gnutls). If you have PKCS #12 files generated out of gnutls or openssl please try them (and if they can be distributed let me know). Otherwise simply check whether it works for your files.
Ok. Thanks for the help. Karma given.
(In reply to Scott Poore from comment #10) > Ok. Thanks for the help. Karma given. Thanks. Could you also give karma to libtasn1 since it is a dependency of this package? https://admin.fedoraproject.org/updates/FEDORA-2015-5199/libtasn1-4.4-1.fc22?_csrf_token=9de63f67e81ed7f0f69414499917ad6dc7b79349
Sure. Should be done now.
gnutls-3.3.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
gnutls-3.3.14-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.