Bug 1431210 - Import of pkcs#12 with RSA-PSS certificates does not work with pk12util
Summary: Import of pkcs#12 with RSA-PSS certificates does not work with pk12util
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss   
(Show other bugs)
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: pre-dev-freeze
: 7.4
Assignee: Daiki Ueno
QA Contact: Hubert Kario
Mirek Jahoda
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: rhel7-rsa-pss-in-nss
TreeView+ depends on / blocked
 
Reported: 2017-03-10 15:35 UTC by Hubert Kario
Modified: 2018-04-10 09:26 UTC (History)
4 users (show)

Fixed In Version: nss-3.34.0-0.1.beta1.el7
Doc Type: Technology Preview
Doc Text:
*pk12util* can now import certificates signed with `RSA-PSS` The *pk12util* tool now provides importing a certificate signed with the `RSA-PSS` algorithm as a Technology Preview. Note that if the corresponding private key is imported and has the `PrivateKeyInfo.privateKeyAlgorithm` field that restricts the signing algorithm to `RSA-PSS`, it is ignored when importing the key to a browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=1413596 for more information.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 09:25:43 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
PKCS#12 file with rsa-pss certificate (2.49 KB, application/octet-stream)
2017-03-10 15:35 UTC, Hubert Kario
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0679 None None None 2018-04-10 09:26 UTC
Mozilla Foundation 1346239 None None None 2019-03-14 16:36 UTC
Red Hat Bugzilla 1425514 None CLOSED certutil has multiple issues in handling RSA-PSS certificates 2019-03-14 16:36 UTC
Red Hat Bugzilla 1508571 None POST Exporting RSA-PSS keys to PKCS#12 drops the rsa-pss identifier from them 2019-03-14 16:36 UTC

Internal Trackers: 1425514 1508571

Description Hubert Kario 2017-03-10 15:35:27 UTC
Created attachment 1261954 [details]
PKCS#12 file with rsa-pss certificate

Importing a PKCS#12 file with RSA-PSS certificate and key pair to NSS database fails:

Version:
nss-3.28.3-3.el7.x86_64

Reproducer:
mkdir nssdb
certutil -N --empty-password -d sql:./nssdb/
pk12util -i server.p12 -d sql:./nssdb -W ''

Result:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected:
certificate and key imported to database, available for use

Additional info:
The file is correctly parsed by pk12util -l:
pk12util -l server.p12 -W '' -v
Certificate(has private key):
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: PKCS #1 RSA-PSS Signature
            Parameters:
                Hash algorithm: SHA-256
                Mask algorithm: PKCS #1 MGF1 Mask Generation Function
                Mask hash algorithm: SHA-256
                Salt Length: 222 (0xde)
        Issuer: "CN=CA"
        Validity:
            Not Before: Fri Mar 10 15:08:10 2017
            Not After : Sun Jan 17 15:08:10 2027
        Subject: "CN=localhost"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA-PSS Signature
                Parameters:
                    Invalid RSA-PSS parameters
            RSA Public Key:
                Modulus:
                    e5:ce:c8:77:f0:ca:ea:b3:1d:dc:74:e6:1f:14:2a:d0:
                    92:fa:cd:fe:10:cf:04:fc:e8:d5:ee:3e:43:66:e2:ba:
                    f2:15:79:b6:2d:4e:27:1d:2a:89:40:72:e1:2f:12:7d:
                    91:a8:e5:6b:72:6e:70:56:17:64:b6:5a:c3:18:41:c7:
                    9d:aa:2b:f9:0e:a1:8d:18:a7:41:c1:53:7a:3f:8b:d3:
                    e2:84:50:73:8b:52:67:82:1c:09:86:63:00:12:39:07:
                    0b:1d:18:eb:32:4a:9c:5d:98:d1:28:40:a3:5d:6f:bb:
                    bf:a5:3d:39:e8:77:69:c8:2e:27:ea:c4:0e:9b:14:f8:
                    bc:2b:b8:b8:bf:16:76:f6:25:50:89:b1:2a:c7:33:9e:
                    62:f3:fa:64:df:2a:ba:7c:4d:08:6c:ff:fd:6c:5e:1f:
                    ae:34:b0:ff:60:06:72:d8:29:2f:2b:4e:75:ba:26:36:
                    8b:1f:a8:61:a6:1e:fc:12:d0:5c:bd:fc:c7:16:7a:49:
                    c2:9d:c5:6a:bd:11:32:fc:86:a3:a4:85:ac:2e:af:b6:
                    de:99:23:46:05:f4:09:1b:dc:37:df:bb:ca:96:e1:7e:
                    f6:b2:04:45:03:21:05:a4:cf:45:62:16:16:35:c0:08:
                    fa:99:29:23:96:5f:62:e2:02:74:dd:6a:ce:46:c8:7f
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Data: Is not a CA.

            Name: Certificate Comment
            Comment: "OpenSSL Generated Certificate"

            Name: Certificate Subject Key ID
            Data:
                23:18:28:13:d8:87:23:04:5e:15:0b:39:98:ca:ca:d5:
                20:43:d2:c1

            Name: Certificate Authority Key Identifier
            Key ID:
                66:1b:21:28:fc:c8:35:71:09:56:15:5d:74:93:0a:30:
                d6:84:0e:c6

    Signature Algorithm: PKCS #1 RSA-PSS Signature
        Parameters:
            Hash algorithm: SHA-256
            Mask algorithm: PKCS #1 MGF1 Mask Generation Function
            Mask hash algorithm: SHA-256
            Salt Length: 222 (0xde)
    Signature:
        40:bb:98:7f:8a:98:ad:03:58:b0:6e:c9:15:c4:d8:ad:
        8e:73:87:55:e3:ba:d8:c5:df:de:ef:94:23:59:b8:9e:
        8b:98:5b:13:af:b2:20:72:16:58:87:01:f3:d9:5c:df:
        3d:17:8c:87:89:b2:6d:9c:77:40:30:1a:22:80:f3:f2:
        40:6c:60:2f:39:59:d2:dc:db:fd:a1:bd:3c:d1:f9:17:
        9a:b2:b1:85:fe:62:50:cc:91:c1:34:de:c2:45:33:d8:
        ef:7e:60:67:9d:e6:9a:e2:a9:4d:9b:ef:80:43:9c:5f:
        70:32:1f:b3:56:3a:9f:e1:66:75:3b:7d:7b:8f:e6:4e:
        e6:1f:f5:ce:e4:54:7c:e4:c7:fb:ec:85:b8:fa:68:b0:
        f6:b8:dc:0a:53:b4:f0:91:bd:74:22:c3:d5:a2:ef:50:
        62:44:06:c0:d7:ab:e3:4f:dd:72:ae:b1:1c:3d:bb:e2:
        34:af:51:ef:15:30:7c:4c:ff:54:6a:f5:81:7c:21:d6:
        c8:95:8d:07:2d:a6:88:81:39:ce:7e:a3:02:5f:77:48:
        ad:36:b6:0e:8f:2f:ad:0d:a2:56:cb:36:32:2a:51:13:
        05:49:29:d3:59:35:51:41:4c:8d:0a:2e:7f:17:34:68:
        b6:a0:09:d2:20:52:4c:c6:b8:c3:82:b7:a7:0b:df:ae
    Fingerprint (SHA-256):
        AA:51:B8:88:42:B9:8B:D2:33:43:34:EB:8C:32:6B:E6:5B:6A:17:55:1A:65:B8:94:89:3B:2B:85:58:53:62:E5
    Fingerprint (SHA1):
        F4:71:37:37:3A:36:06:5C:56:DA:56:D9:A7:F0:BB:40:45:0E:0E:B3

    Friendly Name: server

Key(shrouded):
    Friendly Name: server

    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
        Parameters:
            Salt:
                25:17:5c:2a:fb:8b:58:4f
            Iteration Count: 2048 (0x800)

Comment 2 Bob Relyea 2017-03-23 22:44:15 UTC
This is an nss, not softokn I plan on including the softokn fix for this bug in the softokn release...

Comment 20 errata-xmlrpc 2018-04-10 09:25:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679


Note You need to log in before you can comment on or make changes to this bug.