Bug 1220573 (rhel7-nss-aes-key-support) - NSS can't handle PKCS#12 files with keys or certificates encrypted using strong PKCS#5 v2.0 ciphers or ones that use SHA-2 MAC
Summary: NSS can't handle PKCS#12 files with keys or certificates encrypted using stro...
Keywords:
Status: CLOSED ERRATA
Alias: rhel7-nss-aes-key-support
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.1
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Bob Relyea
QA Contact: Hubert Kario
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 839624 1335929 rhel7-nss-pkcs12
TreeView+ depends on / blocked
 
Reported: 2015-05-11 23:06 UTC by Hubert Kario
Modified: 2017-09-18 18:02 UTC (History)
9 users (show)

Fixed In Version: nss-3.28.4-8.el7
Doc Type: Bug Fix
Doc Text:
_nss_ now properly handles PKCS#12 files Previously, when using the "pk12util" tool to list certificates in a PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, there was no output. Additionally, when using "pk12util" to list certificates in a PKCS#12 file with the SHA-2 Message Authentication Code (MAC), a MAC error was reported, but no certificates were printed. With this update, importing and exporting PKCS#12 files has been changed to be compatible with the *OpenSSL* handling, and PKCS#12 files are now processed properly in the described scenarios.
Clone Of:
Environment:
Last Closed: 2017-08-01 16:47:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC (1.04 KB, application/octet-stream)
2015-05-11 23:06 UTC, Hubert Kario 		no flags Details
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC (1.02 KB, application/octet-stream)
2015-05-11 23:07 UTC, Hubert Kario 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 440033 0 -- RESOLVED Error importing PKCS12 (PKCS#12) certificates to firefox 2020-01-13 12:57:00 UTC
Mozilla Foundation 452464 0 -- NEW pk12util -o fails when -C option specifies AES or Camellia ciphers 2020-01-13 12:57:01 UTC
Mozilla Foundation 1268141 0 -- RESOLVED pk12util can't import PKCS#12 files encrypted with AES-128-CBC 2020-01-13 12:57:00 UTC
Mozilla Foundation 1268143 0 -- RESOLVED pk12util can't import PKCS#12 files with SHA-256 MAC 2020-01-13 12:57:00 UTC
Mozilla Foundation 1353325 0 -- RESOLVED pkcs12: don't encode password into Unicode if non-PKCS#12 PBE is used 2020-01-13 12:57:00 UTC
Mozilla Foundation 1353724 0 -- RESOLVED fix key length calculation for PKCS#5 PBES2 DES-EDE3-CBC-Pad 2020-01-13 12:57:00 UTC
Red Hat Bugzilla 1384107 0 medium CLOSED PKCS#12 export illogically fails with some PBE algorithms [rhel-6] 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1384147 0 medium CLOSED PKCS#12 export illogically fails with some PBE algorithms [rhel-7] 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1462297 0 low CLOSED Import of PKCS#12 files with Camellia encryption is not supported 2022-09-26 15:24:23 UTC
Red Hat Bugzilla 1462302 0 low CLOSED Import of PKCS#12 files with ECDSA keys without encryption fails 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1462303 0 low CLOSED PKCS#12 files with scrypt key derivation function are not supported 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:1977 0 normal SHIPPED_LIVE nss bug fix and enhancement update 2017-08-01 17:57:47 UTC


Description Hubert Kario 2015-05-11 23:06:42 UTC 
Created attachment 1024374 [details]
passwordless PKCS#12 with PKCS#5 v2.0 aes-128-cbc encryption and SHA1 MAC

Description of problem:
When using `pk12util` to list certificates inside the PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, no certificates are outputted and no error is printed.

When using `pk12util` to list certificates inside the PKCS#12 file with SHA-2 MAC, MAC error is reported and no certificates are printed.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-42.el7.x86_64
nss-3.16.2.3-5.el7.x86_64

(also tested on rhel-6 with nss-3.18.0-5.3.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe aes-128-cbc
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
No output

Expected results:
Certificate printed

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe PBE-SHA1-3DES -macalg sha1
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v

Actual results:
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 3
pk12util: PKCS12 decode not verified: error -12285: Unknown code ___P 

Expected results:
Certificate printed

Additional info:
Specifying `-certpbe PBE-SHA1-3DES -macalg sha1` creates a file readable for NSS.
Comment 1 Hubert Kario 2015-05-11 23:07:46 UTC 
Created attachment 1024375 [details]
passwordless PKCS#12 with PBE-SHA1-3DES encryption and SHA-256 MAC
Comment 2 Hubert Kario 2015-05-12 10:17:46 UTC 
Slight mistake in the second steps to reproduce, the option should be '-macalg sha256' but is '-macalg sha1'
Comment 3 Hubert Kario 2015-05-12 15:01:16 UTC 
Slight addition, and I'd say most severe of the issues mentioned: pk12util can't decrypt private key if it is encrypted with AES ciphers.

Steps to reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. openssl pkcs12 -in localhost.crt -inkey localhost.key -export -out bundle.p12 -passout pass: -name "server" -caname "server" -certpbe NONE -keypbe AES-256-CBC -macalg SHA1
3. mkdir nssdb
4. certutil -N --empty-password -d sql:./nssdb
5. pk12util -i bundle.p12 -d sql:./nssdb -W ''

Actual results:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
pk12util: PKCS12 IMPORT SUCCESSFUL

Additional info:
Specifying `-certpbe DES-EDE3-CBC` does create a PKCS#12 file which can be loaded, so I'm guessing it's the AES support that's missing, not PKCS#5 v2.0 support in general.
Comment 4 Hubert Kario 2015-05-13 11:17:55 UTC 
I have also tested in FIPS mode using:
nss-3.18.0-2.2.el7_1.x86_64
nss-3.18.0-2.2.el7_1.i686
nspr-4.10.8-1.el7_1.x86_64
nspr-4.10.8-1.el7_1.i686
nss-util-3.18.0-1.el7_1.x86_64
nss-util-3.18.0-1.el7_1.i686
nss-softokn-3.16.2.3-9.el7.x86_64
nss-softokn-3.16.2.3-9.el7.i686

with a password protected file (with password "RedHatEnterpriseLinux7.1"). The reported error is exactly the same as in Comment 3.
Comment 7 Kai Engert (:kaie) (inactive account) 2016-04-25 20:37:09 UTC 
If this is a feature enhancement request, it should be reported upstream.

Please provide justification why this enhancement is required.
Comment 8 Hubert Kario 2016-04-26 17:49:24 UTC 
Bob in private communication said that this feature was supported in the past which would indicate that it's a regression.

This enhancement is required for resilience against future quantum computers and to meet FIPS requirements for private key storage past year 2030[1].

 1 - see NIST SP 800-57 part 1 revision 4, section 5.6.2
Comment 9 Kai Engert (:kaie) (inactive account) 2016-04-27 12:45:38 UTC 
Can you please file the upstream regression bug?
Comment 10 Kai Engert (:kaie) (inactive account) 2016-09-28 16:22:02 UTC 
(In reply to Kai Engert (:kaie) from comment #9)
> Can you please file the upstream regression bug?

Hubert, is this something you could do please, assign it to Bob, and add a link in here?

Since we're moving towards stronger technology in the future, TriagedHigh seems to be appropriate.
Comment 11 Hubert Kario 2016-09-29 11:11:23 UTC 
There are already two bugs filed upstream for that (see External Trackers):
https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I don't have permissions to change the assignee of the upstream bugs.

So please correct me if I missed something, but it looks like there's nothing for me to do.
Comment 12 Kai Engert (:kaie) (inactive account) 2016-09-29 11:45:02 UTC 
(In reply to Hubert Kario from comment #11)
> There are already two bugs filed upstream for that (see External Trackers):
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

Thanks, I had missed the links.
Comment 13 Hubert Kario 2016-10-12 15:36:37 UTC 
possibly some other files we can use for inspiration to generate PKCS#12 files:
http://git.infradead.org/users/dwmw2/openconnect.git/tree/HEAD:/tests/certs

one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256, instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0 defaults to the former for PKCS#12 export.
Comment 16 Hubert Kario 2017-02-16 14:10:28 UTC 
one more thing, PBKDF2 can also be used with SHA-512-224 and SHA-512-256, the PKCS#12 file HMAC possibly too...
Comment 17 Hubert Kario 2017-03-22 18:53:57 UTC 
PBES2 with PBKDF2 and des-ede3-cbc cipher is not supported for certBag

ECDSA keys without encryption are not supported

files without MAC are not supported
Comment 18 Hubert Kario 2017-03-23 16:07:58 UTC 
(In reply to Hubert Kario from comment #13)
> one thing I haven't tested is if the PBES2 uses PBKDF2 with a HMAC-SHA256,
> instead of the "standard" HMAC-SHA1. It's necessary as OpenSSL 1.1.0
> defaults to the former for PKCS#12 export.

I have tested it now and it doesn't work either (be it SHA224, SHA256, SHA384, SHA512 or MD5)
Comment 19 Hubert Kario 2017-03-29 12:58:32 UTC 
when trying to import
ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12 
I'm getting 

pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

Also can't import rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12

there the error is:
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.
pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED: Cannot decrypt: encrypted using a disallowed algorithm or key size.

even when just listing the file (pk12util -l)

Import of
rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).p12
also fails

So I can't even test if the SHA-2 PRF for PBKDF2 is working...
Comment 20 Hubert Kario 2017-03-29 12:59:34 UTC 
the above was tested using
nss-3.28.3-5.el7.x86_64
nss-util-3.28.3-3.el7.x86_64
nspr-4.13.1-1.0.el7.x86_64
nss-pem-1.0.3-2.el7.x86_64
nss-softokn-3.28.3-4.el7.x86_64
Comment 21 Daiki Ueno 2017-04-04 11:13:06 UTC 
(In reply to Hubert Kario from comment #19)
> when trying to import
> ecdsa(P-256,sha256),cert&key(PBES2(PBKDF2(salt(8),iter(2048),keyLen(default),
> prf(default)),aes-128-cbc(IV(16)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12 
> I'm getting 
> 
> pk12util: PKCS12 decode import bags failed:
> SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting
> to import private key.
> 
> with exit code 19. Same with rsa key, aes-192-cbc or aes-256-cbc encryption.

This is because BMPString encoded passwords are given to non-PKCS#12 PBEs, sigh.  That should have been tested as well in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1268141

I have submitted a follow up fix for this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1353325

> Also can't import
> rsa(2048,sha256),cert&key(PBES2(PBKDF2(salt(16),iter(2048),keyLen(default),
> prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),iter(2048)),pass(ascii).
> p12
> 
> there the error is:
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> pk12util: PKCS12 decode not verified: SEC_ERROR_DECRYPTION_DISALLOWED:
> Cannot decrypt: encrypted using a disallowed algorithm or key size.
> 
> even when just listing the file (pk12util -l)
> 
> Import of
> rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> iter(2048)),pass(ascii).p12
> also fails

DES-EDE3-CBC is explicitly disabled in:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#26
Comment 22 Hubert Kario 2017-04-05 10:21:21 UTC 
(In reply to Daiki Ueno from comment #21)
> (In reply to Hubert Kario from comment #19)
> > Import of
> > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > iter(2048)),pass(ascii).p12
> > also fails
> 
> DES-EDE3-CBC is explicitly disabled in:
> https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> p12plcy.c#26

none of the ciphers in that array are "allowed"...
Comment 23 Daiki Ueno 2017-04-05 15:27:30 UTC 
(In reply to Hubert Kario from comment #22)
> (In reply to Daiki Ueno from comment #21)
> > (In reply to Hubert Kario from comment #19)
> > > Import of
> > > rsa(2048,sha256),cert(none),key(PBES2(PBKDF2(salt(8),iter(2048),
> > > keyLen(default),prf(default)),des-ede3-cbc(IV(8)))),mac(sha1,salt(8),
> > > iter(2048)),pass(ascii).p12
> > > also fails
> > 
> > DES-EDE3-CBC is explicitly disabled in:
> > https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/
> > p12plcy.c#26
> 
> none of the ciphers in that array are "allowed"...

Sorry, you are right.  The cipher is rejected because of key length mismatch, checked at:
https://dxr.mozilla.org/mozilla-central/source/security/nss/lib/pkcs12/p12plcy.c#52
Comment 35 Hubert Kario 2017-06-16 16:25:46 UTC 
Issues with handling of files encrypted using Camellia ciphers are tracked in bug 1462297.
Comment 36 Hubert Kario 2017-06-16 16:33:35 UTC 
Issue with handling non-encrypted ECDSA PKCS#12 files are tracked in bug 1462302.
Comment 37 Hubert Kario 2017-06-16 17:07:48 UTC 
Issues with handling files with scrypt key derivation function are tracked in bug 1462303.
Comment 38 errata-xmlrpc 2017-08-01 16:47:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1977
Note You need to log in before you can comment on or make changes to this bug.