1181614 – python-nss exported pkcs12 files can not be listed with pk12util

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1181614 - python-nss exported pkcs12 files can not be listed with pk12util

Summary: python-nss exported pkcs12 files can not be listed with pk12util

Keywords:
Status:	CLOSED DUPLICATE of bug 1174527
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1180596
TreeView+	depends on / blocked

Reported:	2015-01-13 13:11 UTC by Patrik Kis
Modified:	2015-01-19 21:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:	nss-3.16.2.3-5.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-01-19 21:30:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1174527	0	unspecified	CLOSED	Segfault in pk12util when using -l option with certain .p12 files	2021-02-22 00:41:40 UTC

Internal Links: 1174527

Description Patrik Kis 2015-01-13 13:11:30 UTC

Description of problem:
This is a regression introduced in nss-3.16.2.3-3.


Version-Release number of selected component (if applicable):
nss-sysinit-3.16.2.3-4
nss-softokn-freebl-3.16.2.3-4
nss-util-3.16.2.3-1
nss-3.16.2.3-4
nss-softokn-3.16.2.3-4
nss-tools-3.16.2.3-4
python-nss-doc-0.16.0-2
python-nss-0.16.0-2

How reproducible:
always

Steps to Reproduce:
# python /usr/share/doc/python-nss-0.16.0/test/setup_certs.py
INFO: Creating clean database directory: "pki"
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
INFO: creating server cert: subject="CN=ibm-p8-05-lp6.rhts.eng.bos.redhat.com", nickname="test_server"
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="db_passwd"
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=ibm-p8-05-lp6.rhts.eng.bos.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
# ll
total 0
drwxr-xr-x. 2 root root 65 Jan 13 07:54 pki
#
# python /usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py
..E
======================================================================
ERROR: test_export (test_pkcs12.TestPKCS12Export)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 210, in test_export
    exported_pk12_listing = list_pk12(exported_pk12_filename)
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 109, in list_pk12
    stdout, stderr = run_cmd(cmd_args)
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 56, in run_cmd
    stdout, stderr)
CmdError: failed /usr/bin/pk12util, -l, exported_test_user.p12, -W, pk12_passwd

----------------------------------------------------------------------
Ran 3 tests in 6.867s

FAILED (errors=1)
#
# /usr/bin/pk12util -l exported_test_user.p12 -W pk12_passwd
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
#
# ll
total 8
-rw-r--r--. 1 root root 2110 Jan 13 07:55 exported_test_user.p12
drwxr-xr-x. 2 root root   65 Jan 13 07:55 pki
-rw-------. 1 root root 2110 Jan 13 07:54 test_user.p12
# /usr/bin/pk12util -l test_user.p12 -W pk12_passwd
Key(shrouded):
    Friendly Name: test_user

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
 ... snip ...

NOTE:

Test_user.p12, thatb can be listed, was created by pk12util directly with command:
   /usr/bin/pk12util -o test_user.p12 -n test_user -d 'sql:pki' -K db_passwd -W pk12_passwd

While exported_test_user.p12 was exported by python-nss:
... snip ...
       pkcs12_data = nss.pkcs12_export(cert_nickname, pk12_passwd)
        with open(exported_pk12_filename, 'w') as f:
            f.write(pkcs12_data)
... snip ...

For more details refer to upstream test /usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py from python-nss-doc.

Additional info: with nss-3.16.2.3-2.el7:

# rpm -q nss
nss-3.16.2.3-2.el7.ppc64
# python /usr/share/doc/python-nss-0.16.0/test/setup_certs.py --verbose
INFO: Creating clean database directory: "pki"
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
INFO: creating server cert: subject="CN=ibm-p8-03-lp2.rhts.eng.bos.redhat.com", nickname="test_server"
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="db_passwd"
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=ibm-p8-03-lp2.rhts.eng.bos.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
[root@ibm-p8-03-lp2 test]# 
[root@ibm-p8-03-lp2 test]# 
[root@ibm-p8-03-lp2 test]# 
[root@ibm-p8-03-lp2 test]# rm -rf *
[root@ibm-p8-03-lp2 test]# python /usr/share/doc/python-nss-0.16.0/test/setup_certs.py --debug
INFO: Creating clean database directory: "pki"
DEBUG: /usr/bin/certutil -N -d sql:pki -f /tmp/tmp55xktB
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
DEBUG: /usr/bin/certutil -S -x -d sql:pki -f /tmp/tmp55xktB -n test_ca -s CN=Test CA -g 1024 -t CT,,CT -1 -2 -5 -m 1 -v 12 -z /tmp/tmpnyHeMV
INFO: creating server cert: subject="CN=ibm-p8-03-lp2.rhts.eng.bos.redhat.com", nickname="test_server"
DEBUG: /usr/bin/certutil -S -d sql:pki -f /tmp/tmp55xktB -c test_ca -n test_server -s CN=ibm-p8-03-lp2.rhts.eng.bos.redhat.com -g 1024 -t u,u,u -5 -m 2 -v 12 -z /tmp/tmpnyHeMV
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
DEBUG: /usr/bin/certutil -S -d sql:pki -f /tmp/tmp55xktB -c test_ca -n test_user -s CN=test_user -g 1024 -t u,u,u -5 -m 3 -v 12 -z /tmp/tmpnyHeMV
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
DEBUG: /usr/bin/modutil -dbdir sql:pki -add ca_certs -libfile libnssckbi.so
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="db_passwd"
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=ibm-p8-03-lp2.rhts.eng.bos.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
DEBUG: in exit handler
DEBUG: removing passwd_filename=/tmp/tmp55xktB
DEBUG: removing noise_filename=/tmp/tmpnyHeMV
# ll
total 0
drwxr-xr-x. 2 root root 65 Jan 13 06:56 pki
#
# python /usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py
test_read
.test_import
.test_export
.
----------------------------------------------------------------------
Ran 3 tests in 2.342s

OK
#

Comment 4 Elio Maldonado Batiz 2015-01-16 18:58:53 UTC

Based on the TCMS test test https://tcms.engineering.redhat.com/case/75306/
I have created a simplified version that doesn't require Beaker so I can
trace in the debugger.

Checkeout the test: rhpkg tests pyton nss
cd python-nss/Sanity/pkcs12-sanity-test/
and edited runtest.sh to run everything manually from this directory

PACKAGE=python-nss
TmpDir=`pwd`
cp *jdennis $TmpDir
for i in `rpm -ql python-nss-doc`; do
  echo $i | grep -e setup_certs.py$ -e test_pkcs12.py$ && cp $i $TmpDir
done
if [ !-e $TmpDir/setup_certs.py ]; then
  cp -p setup_certs.py.jdennis $TmpDir/setup_certs.py
fi
if [ !-e $TmpDir/test_pkcs12.py ]; then
  cp -p test_pkcs12.py.jdennis $TmpDir/test_pkcs12.py
fi
export NSS_DEFAULT_DB_TYPE=sql
echo "PKCS12 Sanity Test"
rm -rf pki
python setup_certs.py

# run the test_pkcs12.py one manually on gdb, backtrace will tell you
# the pk12util command to run in the debugger which will likely be 
# /usr/bin/pk12util -l exported_test_user.p12 -W pk12_passwd
# python test_pkcs12.py

I'm still debugging but let me make sure first, I'm doing the right thing.
Patrick, is this a faithful adaptation of your original test?

Comment 5 Elio Maldonado Batiz 2015-01-17 00:19:28 UTC

The if [ !-e...]; then lines above are in error. One totally remove those tests as we now the .py scripts are presenta nd ther is nothing to copy. I keep having problems with passwords whether on the debugger or not. One thing I did after the database was created is to export and list the exported file myself, as I had studied what pyton scrips do. I used these commands

pk12util -o exported_test_userManual.p12 -n test_user -d sql:./pki -K db_passwd -W "pk12_passwd"
pk12util -l exported_test_userManual.p12 -W "pk12_passwd"
and it listed just fine. 

I'm at a loss on how to explain the failures of the test. Patrick, perhaps we can meet on-line on IRC to analyse this and see what I may be doing wrong.

Comment 7 Elio Maldonado Batiz 2015-01-18 05:59:31 UTC

The cause I think is my incorrect fix for bug 1174527.

Bob rightly objected to me using strlen in his comment at
https://bugzilla.redhat.com/show_bug.cgi?id=1174527#c6 

Looking at the original attachment at
https://bugzilla.redhat.com/attachment.cgi?id=969405&action=diff
we see if (strlen(dest->data) >= 2 && ...
                                    ^^
I changed if (strlen(dest->data) >= 2 && ... to 
if ((dest->len < 2) && ..... )
               ^  reversing the sense of the test, bad

where I should have instead changed it to 
if ((dest->len >= 2) && ..... )
               ^^  preserving the sense of the original

This fixes the problem as far as my testing tells me. A scratch build with this change is at https://brewweb.devel.redhat.com/taskinfo?taskID=8556324.

Could someone please give it try?

Comment 8 Patrik Kis 2015-01-19 08:45:06 UTC

(In reply to Elio Maldonado Batiz from comment #7)
> 
> This fixes the problem as far as my testing tells me. A scratch build with
> this change is at https://brewweb.devel.redhat.com/taskinfo?taskID=8556324.
> 
> Could someone please give it try?

It looks like the test build fixes the problem:

[0 root@rhel71 tmp]$ rpm -qa python-nss\* nss\*
nss-softokn-freebl-devel-3.16.2.3-6.el7.x86_64
nss-pam-ldapd-0.8.13-8.el7.x86_64
python-nss-doc-0.16.0-2.el7.x86_64
nss_compat_ossl-0.9.6-8.el7.x86_64
nss-tools-3.16.2.3-4.el7.x86_64
nss-softokn-3.16.2.3-6.el7.x86_64
python-nss-0.16.0-2.el7.x86_64
nss-util-devel-3.16.2.3-1.el7.x86_64
nss-3.16.2.3-4.el7.x86_64
nss-util-3.16.2.3-1.el7.x86_64
nss-softokn-devel-3.16.2.3-6.el7.x86_64
nss-devel-3.16.2.3-4.el7.x86_64
nss-sysinit-3.16.2.3-4.el7.x86_64
nss-softokn-freebl-3.16.2.3-6.el7.x86_64
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ python /usr/share/doc/python-nss-0.16.0/test/setup_certs.pyINFO: Creating clean database directory: "pki"
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
INFO: creating server cert: subject="CN=auto-x86-64-001.ss.eng.bos.redhat.com", nickname="test_server"
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="db_passwd"
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=auto-x86-64-001.ss.eng.bos.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ python /usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py
..E
======================================================================
ERROR: test_export (test_pkcs12.TestPKCS12Export)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 210, in test_export
    exported_pk12_listing = list_pk12(exported_pk12_filename)
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 109, in list_pk12
    stdout, stderr = run_cmd(cmd_args)
  File "/usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py", line 56, in run_cmd
    stdout, stderr)
CmdError: failed /usr/bin/pk12util, -l, exported_test_user.p12, -W, pk12_passwd

----------------------------------------------------------------------
Ran 3 tests in 6.313s

FAILED (errors=1)
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ rm -rf *
You have new mail in /var/spool/mail/root
[0 root@rhel71 tmp]$ yum update ~/pkis/nss-3.16.2.3-5.el7/*rpm
Loaded plugins: auto-update-debuginfo, langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-3.16.2.3-5.el7.x86_64.rpm: nss-3.16.2.3-5.el7.x86_64
Marking /root/pkis/nss-3.16.2.3-5.el7/nss-3.16.2.3-5.el7.x86_64.rpm as an update to nss-3.16.2.3-4.el7.x86_64
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-debuginfo-3.16.2.3-5.el7.x86_64.rpm: nss-debuginfo-3.16.2.3-5.el7.x86_64
Package nss-debuginfo not installed, cannot update it. Run yum install to install it instead.
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-devel-3.16.2.3-5.el7.x86_64.rpm: nss-devel-3.16.2.3-5.el7.x86_64
Marking /root/pkis/nss-3.16.2.3-5.el7/nss-devel-3.16.2.3-5.el7.x86_64.rpm as an update to nss-devel-3.16.2.3-4.el7.x86_64
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-pkcs11-devel-3.16.2.3-5.el7.x86_64.rpm: nss-pkcs11-devel-3.16.2.3-5.el7.x86_64
Package nss-pkcs11-devel not installed, cannot update it. Run yum install to install it instead.
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-sysinit-3.16.2.3-5.el7.x86_64.rpm: nss-sysinit-3.16.2.3-5.el7.x86_64
Marking /root/pkis/nss-3.16.2.3-5.el7/nss-sysinit-3.16.2.3-5.el7.x86_64.rpm as an update to nss-sysinit-3.16.2.3-4.el7.x86_64
Examining /root/pkis/nss-3.16.2.3-5.el7/nss-tools-3.16.2.3-5.el7.x86_64.rpm: nss-tools-3.16.2.3-5.el7.x86_64
Marking /root/pkis/nss-3.16.2.3-5.el7/nss-tools-3.16.2.3-5.el7.x86_64.rpm as an update to nss-tools-3.16.2.3-4.el7.x86_64
Resolving Dependencies
--> Running transaction check
---> Package nss.x86_64 0:3.16.2.3-4.el7 will be updated
---> Package nss.x86_64 0:3.16.2.3-5.el7 will be an update
---> Package nss-devel.x86_64 0:3.16.2.3-4.el7 will be updated
---> Package nss-devel.x86_64 0:3.16.2.3-5.el7 will be an update
---> Package nss-sysinit.x86_64 0:3.16.2.3-4.el7 will be updated
---> Package nss-sysinit.x86_64 0:3.16.2.3-5.el7 will be an update
---> Package nss-tools.x86_64 0:3.16.2.3-4.el7 will be updated
---> Package nss-tools.x86_64 0:3.16.2.3-5.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================
 Package              Arch            Version                 Repository                                   Size
================================================================================================================
Updating:
 nss                  x86_64          3.16.2.3-5.el7          /nss-3.16.2.3-5.el7.x86_64                  2.4 M
 nss-devel            x86_64          3.16.2.3-5.el7          /nss-devel-3.16.2.3-5.el7.x86_64            758 k
 nss-sysinit          x86_64          3.16.2.3-5.el7          /nss-sysinit-3.16.2.3-5.el7.x86_64           14 k
 nss-tools            x86_64          3.16.2.3-5.el7          /nss-tools-3.16.2.3-5.el7.x86_64            1.8 M

Transaction Summary
================================================================================================================
Upgrade  4 Packages

Total size: 5.0 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : nss-3.16.2.3-5.el7.x86_64                                                                    1/8 
  Updating   : nss-sysinit-3.16.2.3-5.el7.x86_64                                                            2/8 
  Updating   : nss-tools-3.16.2.3-5.el7.x86_64                                                              3/8 
  Updating   : nss-devel-3.16.2.3-5.el7.x86_64                                                              4/8 
  Cleanup    : nss-devel-3.16.2.3-4.el7.x86_64                                                              5/8 
  Cleanup    : nss-tools-3.16.2.3-4.el7.x86_64                                                              6/8 
  Cleanup    : nss-3.16.2.3-4.el7.x86_64                                                                    7/8 
  Cleanup    : nss-sysinit-3.16.2.3-4.el7.x86_64                                                            8/8 
  Verifying  : nss-sysinit-3.16.2.3-5.el7.x86_64                                                            1/8 
  Verifying  : nss-tools-3.16.2.3-5.el7.x86_64                                                              2/8 
  Verifying  : nss-3.16.2.3-5.el7.x86_64                                                                    3/8 
  Verifying  : nss-devel-3.16.2.3-5.el7.x86_64                                                              4/8 
  Verifying  : nss-devel-3.16.2.3-4.el7.x86_64                                                              5/8 
  Verifying  : nss-tools-3.16.2.3-4.el7.x86_64                                                              6/8 
  Verifying  : nss-sysinit-3.16.2.3-4.el7.x86_64                                                            7/8 
  Verifying  : nss-3.16.2.3-4.el7.x86_64                                                                    8/8 

Updated:
  nss.x86_64 0:3.16.2.3-5.el7         nss-devel.x86_64 0:3.16.2.3-5.el7   nss-sysinit.x86_64 0:3.16.2.3-5.el7  
  nss-tools.x86_64 0:3.16.2.3-5.el7  

Complete!
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ python /usr/share/doc/python-nss-0.16.0/test/setup_certs.py
INFO: Creating clean database directory: "pki"
INFO: creating ca cert: subject="CN=Test CA", nickname="test_ca"
INFO: creating server cert: subject="CN=auto-x86-64-001.ss.eng.bos.redhat.com", nickname="test_server"
INFO: creating client cert: subject="CN=test_user", nickname="test_user"
INFO: adding system trusted certs: name="ca_certs" module="libnssckbi.so"
INFO: ---------- Summary ----------
INFO: NSS database name="sql:pki", password="db_passwd"
INFO: CA nickname="test_ca", CA subject="CN=Test CA"
INFO: server nickname="test_server", server subject="CN=auto-x86-64-001.ss.eng.bos.redhat.com"
INFO: client nickname="test_user", client subject="CN=test_user"
[0 root@rhel71 tmp]$ 
[0 root@rhel71 tmp]$ python /usr/share/doc/python-nss-0.16.0/test/test_pkcs12.py
...
----------------------------------------------------------------------
Ran 3 tests in 6.214s

OK
[0 root@rhel71 tmp]$

Comment 12 Suzanne Forsberg 2015-01-19 21:30:24 UTC


*** This bug has been marked as a duplicate of bug 1174527 ***

Note You need to log in before you can comment on or make changes to this bug.