Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1146592

Summary: pk12util can't import pkcs12 file when it's generated via gnutls (importing an RSA private key fails if p < q)
Product: Red Hat Enterprise Linux 7 Reporter: Aleš Mareček <amarecek>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: kengert, rrelyea, sforsber
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-09 20:33:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aleš Mareček 2014-09-25 15:11:48 UTC
Description of problem:
pk12util fails to import pkcs12 file that was generated by gnutls (to pem) and converted to pkcs12 format (via openssl). The importing to nssdb fails then.

Version-Release number of selected component (if applicable):
nss-3.16.2-7.el7_0
gnutls-3.1.18-9.el7_0

How reproducible:
Always

Steps to Reproduce:
1. run the automated test


Actual results:
pk12util: File Open failed: n: PR_FILE_NOT_FOUND_ERROR: File not found
i:x86_64|m:x86_64 root@x86-64-v03 [tmp.AG5D8CE4E4]# pk12util -i "ca.p12" -W "" -k /root/.pki/nssdb/nsspassword -d sql:/root/.pki/nssdb
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: ca.example.com - Unspecified


Expected results:
pass

Additional info:

Comment 3 Bob Relyea 2014-09-25 16:32:41 UTC
We do need to fix this, but it's not a regression in RHEL 7.0z:

rpm -q nss nss-softokn nss-util
nss-3.16.2-2.el7_0.x86_64
nss-softokn-3.16.2-1.el7_0.x86_64
nss-util-3.16.2-1.el7_0.x86_64
[bob@localhost ~]$ mkdir testdb
[bob@localhost ~]$ certutil -N -d testdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
[bob@localhost ~]$ pk12util -d testdb -i ca.p12 
Enter password for PKCS12 file: 
pk12util: no nickname for cert in PKCS12 file.
pk12util: using nickname: ca.example.com - Unspecified
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.
[bob@localhost ~]$ which pk12util
/usr/bin/pk12util
[bob@localhost ~]$ ldd `which pk12util`
	linux-vdso.so.1 =>  (0x00007fffa66fb000)
	libssl3.so => /lib64/libssl3.so (0x00007f12ec815000)
	libsmime3.so => /lib64/libsmime3.so (0x00007f12ec5ee000)
	libnss3.so => /lib64/libnss3.so (0x00007f12ec2c8000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007f12ec09c000)
	libplc4.so => /lib64/libplc4.so (0x00007f12ebe97000)
	libplds4.so => /lib64/libplds4.so (0x00007f12ebc92000)
	libnspr4.so => /lib64/libnspr4.so (0x00007f12eba54000)
	libsoftokn3.so => /lib64/libsoftokn3.so (0x00007f12eb815000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f12eb5f8000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f12eb3f4000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f12eb033000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f12eae1c000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f12eac14000)
	libsqlite3.so.0 => /lib64/libsqlite3.so.0 (0x00007f12ea95e000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f12eca6a000)

Comment 4 Aleš Mareček 2014-09-25 17:00:11 UTC
I suppose the "ca.p12" file is the one I sent? It should be attached probably (or mechanism how to generate it).

Comment 5 Elio Maldonado Batiz 2014-10-09 18:20:18 UTC
See Bug 1150645

Comment 6 Kai Engert (:kaie) (inactive account) 2014-10-09 20:33:07 UTC
Marking as a duplicate of bug 1150645, as suggested by Bob.

This makes sense, because this bug is a "nss" component bug, the other one is an "nss-softokn" component bug - where the problem resides.

The other bug already has some approvals.

Can you please copy over relevant test information?
We believe this is the same scenario.
Thank you.

*** This bug has been marked as a duplicate of bug 1150645 ***