RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1220573 (rhel7-nss-aes-key-support) - NSS can't handle PKCS#12 files with keys or certificates encrypted using strong PKCS#5 v2.0 ciphers or ones that use SHA-2 MAC
Summary: NSS can't handle PKCS#12 files with keys or certificates encrypted using stro...
Keywords:
Status: CLOSED ERRATA
Alias: rhel7-nss-aes-key-support
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.1
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Hubert Kario
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 839624 1335929 rhel7-nss-pkcs12
TreeView+ depends on / blocked
 
Reported: 2015-05-11 23:06 UTC by Hubert Kario
Modified: 2017-09-18 18:02 UTC (History)
9 users (show)

Fixed In Version: nss-3.28.4-8.el7
Doc Type: Bug Fix
Doc Text:
_nss_ now properly handles PKCS#12 files Previously, when using the "pk12util" tool to list certificates in a PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, there was no output. Additionally, when using "pk12util" to list certificates in a PKCS#12 file with the SHA-2 Message Authentication Code (MAC), a MAC error was reported, but no certificates were printed. With this update, importing and exporting PKCS#12 files has been changed to be compatible with the *OpenSSL* handling, and PKCS#12 files are now processed properly in the described scenarios.
Clone Of:
Environment:
Last Closed: 2017-08-01 16:47:42 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC (1.04 KB, application/octet-stream)
2015-05-11 23:06 UTC, Hubert Kario
no flags Details
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC (1.02 KB, application/octet-stream)
2015-05-11 23:07 UTC, Hubert Kario
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 440033 0 -- RESOLVED Error importing PKCS12 (PKCS#12) certificates to firefox 2020-01-13 12:57:00 UTC
Mozilla Foundation 452464 0 -- NEW pk12util -o fails when -C option specifies AES or Camellia ciphers 2020-01-13 12:57:01 UTC
Mozilla Foundation 1268141 0 -- RESOLVED pk12util can't import PKCS#12 files encrypted with AES-128-CBC 2020-01-13 12:57:00 UTC
Mozilla Foundation 1268143 0 -- RESOLVED pk12util can't import PKCS#12 files with SHA-256 MAC 2020-01-13 12:57:00 UTC
Mozilla Foundation 1353325 0 -- RESOLVED pkcs12: don't encode password into Unicode if non-PKCS#12 PBE is used 2020-01-13 12:57:00 UTC
Mozilla Foundation 1353724 0 -- RESOLVED fix key length calculation for PKCS#5 PBES2 DES-EDE3-CBC-Pad 2020-01-13 12:57:00 UTC
Red Hat Bugzilla 1384107 0 medium CLOSED PKCS#12 export illogically fails with some PBE algorithms [rhel-6] 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1384147 0 medium CLOSED PKCS#12 export illogically fails with some PBE algorithms [rhel-7] 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1462297 0 low CLOSED Import of PKCS#12 files with Camellia encryption is not supported 2022-09-26 15:24:23 UTC
Red Hat Bugzilla 1462302 0 low CLOSED Import of PKCS#12 files with ECDSA keys without encryption fails 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1462303 0 low CLOSED PKCS#12 files with scrypt key derivation function are not supported 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:1977 0 normal SHIPPED_LIVE nss bug fix and enhancement update 2017-08-01 17:57:47 UTC


Description Hubert Kario 2015-05-11 23:06:42 UTC
Created attachment 1024374 [details]
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC

Description of problem:
When using `pk12util` to list certificates inside the PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, no certificates are outputted and no error is printed.

When using `pk12util` to list certificates inside the PKCS#12 file with SHA-2 MAC, MAC error is reported and no certificates are printed.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-42.el7.x86_64
nss-3.16.2.3-5.el7.x86_64

(also tested on rhel-6 with nss-3.18.0-5.3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe aes-128-cbc
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
No output

Expected results:
Certificate printed

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe PBE-SHA1-3DES -macalg sha1
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 3
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 

Expected results:
Certificate printed

Additional info:
Specifying `-certpbe PBE-SHA1-3DES -macalg sha1` creates a file readable for NSS.

Comment 1 Hubert Kario 2015-05-11 23:07:46 UTC
Created attachment 1024375 [details]
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC

Comment 2 Hubert Kario 2015-05-12 10:17:46 UTC
Slight mistake in the second steps to reproduce, the option should be '-macalg sha256' but is '-macalg sha1'

Comment 3 Hubert Kario 2015-05-12 15:01:16 UTC
Slight addition, and I'd say most severe of the issues mentioned: pk12util can't decrypt private key if it is encrypted with AES ciphers.

Steps to reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. openssl pkcs12 -in localhost.crt -inkey localhost.key -export -out bundle.p12 -passout pass: -name "server" -caname "server" -certpbe NONE -keypbe AES-256-CBC -macalg SHA1
3. mkdir nssdb
4. certutil -N --empty-password -d sql:./nssdb
5. pk12util -i bundle.p12 -d sql:./nssdb -W ''

Actual results:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
pk12util: PKCS12 IMPORT SUCCESSFUL

Additional info:
Specifying `-certpbe DES-EDE3-CBC` does create a PKCS#12 file which can be loaded, so I'm guessing it's the AES support that's missing, not PKCS#5 v2.0 support in general.

Comment 4 Hubert Kario 2015-05-13 11:17:55 UTC
I have also tested in FIPS mode using:
nss-3.18.0-2.2.el7_1.x86_64
nss-3.18.0-2.2.el7_1.i686
nspr-4.10.8-1.el7_1.x86_64
nspr-4.10.8-1.el7_1.i686
nss-util-3.18.0-1.el7_1.x86_64
nss-util-3.18.0-1.el7_1.i686
nss-softokn-3.16.2.3-9.el7.x86_64
nss-softokn-3.16.2.3-9.el7.i686

with a password protected file (with password "RedHatEnterpriseLinux7.1"). The reported error is exactly the same as in Comment 3.

Comment 7 Kai Engert (:kaie) (inactive account) 2016-04-25 20:37:09 UTC
If this is a feature enhancement request, it should be reported upstream.

Please provide justification why this enhancement is required.

Comment 8 Hubert Kario 2016-04-26 17:49:24 UTC
Bob in private communication said that this feature was supported in the past which would indicate that it's a regression.

This enhancement is required for resilience against future quantum computers and to meet FIPS requirements for private key storage past year 2030[1].

 1 - see NIST SP 800-57 part 1 revision 4, section 5.6.2

Comment 9 Kai Engert (:kaie) (inactive account) 2016-04-27 12:45:38 UTC
Can you please file the upstream regression bug?

Comment 10 Kai Engert (:kaie) (inactive account) 2016-09-28 16:22:02 UTC
(In reply to Kai Engert (:kaie) from comment #9)
> Can you please file the upstream regression bug?

Hubert, is this something you could do please, assign it to Bob, and add a link in here?

Since we're moving towards stronger technology in the future, TriagedHigh seems to be appropriate.

Comment 11 Hubert Kario 2016-09-29 11:11:23 UTC
There are already two bugs filed upstream for that (see External Trackers):
https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I don't have permissions to change the assignee of the upstream bugs.

So please correct me if I missed something, but it looks like there's nothing for me to do.

Comment 12 Kai Engert (:kaie) (inactive account) 2016-09-29 11:45:02 UTC
(In reply to Hubert Kario from comment #11)
> There are already two bugs filed upstream for that (see External Trackers):
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

Thanks, I had missed the links.

Comment 13 Hubert Kario 2016-10-12 15:36:37 UTC
possibly some other files we can use for inspiration to generate PKCS#12 files:
http://git.infradead.org/users/dwmw2/openconnect.git/tree/HEAD:/tests/certs

one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256, instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0 defaults to the former for PKCS#12 export.

Comment 16 Hubert Kario 2017-02-16 14:10:28 UTC
one more thing, PBKDF2 can also be used with SHA-512-224 and SHA-512-256, the PKCS#12 file HMAC possibly too...

Comment 17 Hubert Kario 2017-03-22 18:53:57 UTC
PBES2 with PBKDF2 and des-ede3-cbc cipher is not supported for certBag

ECDSA keys without encryption are not supported

files without MAC are not supported

Comment 18 Hubert Kario 2017-03-23 16:07:58 UTC
(In reply to Hubert Kario from comment #13)
> one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256,
> instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0
> defaults to the former for PKCS#12 export.

I have tested it now and it doesn't work either (be it SHA224, SHA256, SHA384, SHA512 or MD5)

Comment 19 Hubert Kario 2017-03-29 12:58:32 UTC
when trying to import
ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12 
I'm getting 

pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

Also can't import rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12

there the error is:
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.

even when just listing the file (pk12util -l)

Import of
rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12
also fails

So I can't even test if the SHA-2 PRF for PBKDF2 is working...

Comment 20 Hubert Kario 2017-03-29 12:59:34 UTC
the above was tested using
nss-3.28.3-5.el7.x86_64
nss-util-3.28.3-3.el7.x86_64
nspr-4.13.1-1.0.el7.x86_64
nss-pem-1.0.3-2.el7.x86_64
nss-softokn-3.28.3-4.el7.x86_64

Comment 21 Daiki Ueno 2017-04-04 11:13:06 UTC
(In reply to Hubert Kario from comment #19)
> when trying to import
> ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),
> prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12 
> I'm getting 
> 
> pk12util: PKCS12 decode import bags failed:
> SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting
> to import private key.
> 
> with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

This is because BMPString encoded passwords are given to non-PKCS#12 PBEs, sigh.  That should have been tested as well in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I have submitted a follow up fix for this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1353325

> Also can't import
> rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),
> prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12
> 
> there the error is:
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> 
> even when just listing the file (pk12util -l)
> 
> Import of
> rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> iter(2048)),pass(ascii).p12
> also fails

DES-EDE3-CBC is explicitly disabled in:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#26

Comment 22 Hubert Kario 2017-04-05 10:21:21 UTC
(In reply to Daiki Ueno from comment #21)
> (In reply to Hubert Kario from comment #19)
> > Import of
> > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > iter(2048)),pass(ascii).p12
> > also fails
> 
> DES-EDE3-CBC is explicitly disabled in:
> https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> p12plcy.c#26

none of the ciphers in that array are "allowed"...

Comment 23 Daiki Ueno 2017-04-05 15:27:30 UTC
(In reply to Hubert Kario from comment #22)
> (In reply to Daiki Ueno from comment #21)
> > (In reply to Hubert Kario from comment #19)
> > > Import of
> > > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > > iter(2048)),pass(ascii).p12
> > > also fails
> > 
> > DES-EDE3-CBC is explicitly disabled in:
> > https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> > p12plcy.c#26
> 
> none of the ciphers in that array are "allowed"...

Sorry, you are right.  The cipher is rejected because of key length mismatch, checked at:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#52

Comment 35 Hubert Kario 2017-06-16 16:25:46 UTC
Issues with handling of files encrypted using Camellia ciphers are tracked in bug 1462297.

Comment 36 Hubert Kario 2017-06-16 16:33:35 UTC
Issue with handling non-encrypted ECDSA PKCS#12 files are tracked in bug 1462302.

Comment 37 Hubert Kario 2017-06-16 17:07:48 UTC
Issues with handling files with scrypt key derivation function are tracked in bug 1462303.

Comment 38 errata-xmlrpc 2017-08-01 16:47:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977


Note You need to log in before you can comment on or make changes to this bug.