Bug 1250020 - gnutls_x509_privkey_import can no longer import some private keys
gnutls_x509_privkey_import can no longer import some private keys
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Nikos Mavrogiannopoulos
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-04 07:16 EDT by Daniel Berrange
Modified: 2015-08-31 23:37 EDT (History)
2 users (show)

See Also:
Fixed In Version: 3.4.4-1.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-31 23:37:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Demo program (1.86 KB, text/plain)
2015-08-04 07:16 EDT, Daniel Berrange
no flags Details

  None (edit)
Description Daniel Berrange 2015-08-04 07:16:07 EDT
Description of problem:
The gnutls_x509_privkey_import method is no longer able to load private keys with a starting signature of:


    -----BEGIN PRIVATE KEY-----

It can only load keys which mention an explicit algorithm

The gnutls_x509_privkey_import2 method succeeds, which is why certtool --infile blah -k does not show any problem

The problem appears to have been caused by this commit in 3.4.3:

commit 0debaca946b74c66e67ed1a86c671ec3573b779a
Author: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date:   Thu Jun 25 15:08:54 2015 +0200

    gnutls_x509_privkey_import: optimized private key loading

Originlly the result would get set to GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR

But now it gets set to GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;

As a result, when the code jumsp to the 'failover' label it no longer triggers the PKCS#8 fallback path

      failover:
        /* Try PKCS #8 */
        if (result == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) {
                _gnutls_debug_log
                    ("Falling back to PKCS #8 key decoding\n");
                result =
                    gnutls_x509_privkey_import_pkcs8(key, data, format,
                                                     NULL,
                                                     GNUTLS_PKCS_PLAIN);
        }

This regression is breaking the libvirt test suite which uses the import method.


Version-Release number of selected component (if applicable):
3.4.3

How reproducible:
Always

Steps to Reproduce:
1. Save attached demo to priv.c
2.gcc `pkg-config --cflags --libs gnutls`  -o priv priv.c
3. ./priv

Actual results:
Failed to import key The requested data were not available.
Aborted (core dumped)


Expected results:
Loads the private key

Additional info:
Comment 1 Daniel Berrange 2015-08-04 07:16:48 EDT
Created attachment 1059045 [details]
Demo program
Comment 2 Nikos Mavrogiannopoulos 2015-08-04 08:01:56 EDT
Thanks. I've committed a fix upstream.

https://gitlab.com/gnutls/gnutls/commit/3573c516a1cf1adc0df3b4caaeec64f55753016d
Comment 3 Fedora Update System 2015-08-10 04:58:39 EDT
gnutls-3.4.4-1.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/gnutls-3.4.4-1.fc23
Comment 4 Fedora Update System 2015-08-12 16:10:48 EDT
Package gnutls-3.4.4-1.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.4.4-1.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13287/gnutls-3.4.4-1.fc23
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2015-08-31 23:37:12 EDT
gnutls-3.4.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.