Bug 1462297 - Import of PKCS#12 files with Camellia encryption is not supported
Summary: Import of PKCS#12 files with Camellia encryption is not supported
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: rhel7-nss-pkcs12
TreeView+ depends on / blocked
 
Reported: 2017-06-16 16:06 UTC by Hubert Kario
Modified: 2019-02-11 15:39 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-11 15:39:40 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1220573 None CLOSED NSS can't handle PKCS#12 files with keys or certificates encrypted using strong PKCS#5 v2.0 ciphers or ones that use SHA... 2019-03-04 12:28:42 UTC
Mozilla Foundation 1373716 None None None 2019-03-04 12:28:42 UTC

Internal Links: 1220573

Description Hubert Kario 2017-06-16 16:06:28 UTC
Description of problem:
PKCS#12 files encrypted using camellia-128-cbc, camellia-192-cbc or camellia-256-cbc algorithms are unsupported by pk12util

Version-Release number of selected component (if applicable):
nss-3.28.4-8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -caname server-cert -nokeys -passout stdin -certpbe camellia-128-cbc -keypbe camellia-128-cbc
3. pk12util -l bundle.p12 -W RedHatEnterpriseLinux7.1 -v


Actual results:
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.

Expected results:
Contents of the PKCS#12 file listed

Additional info:
Import of the PKCS#12 file to the NSS database does not work either.

Comment 2 Hubert Kario 2017-09-15 17:18:19 UTC
When certificates are encrypted with 40 bit RC2 and key is encrypted with camellia-256-cbc, using NSS 3.32, the file is importable:

echo "RedHatEnterpriseLinux7.1" | openssl pkcs12 -export -out bundle.p12 -in localhost.crt -inkey localhost.key -caname server-cert -passout stdin -keypbe camellia-256-cbc

mkdir nssdb
certutil -N --empty-password -d sql:nssdb
pk12util -i bundle.p12 -d sql:nssdb -W RedHatEnterpriseLinux7.1 -v
PKCS12 IMPORT SUCCESSFUL

camellia-128-cbc and camellia-192-cbc exported by NSS are "obviously" wrong - specify 32 byte key in PBKDF2, so the likely issue is with just the formatting of the file, not PBES2 or PBKDF2

Comment 3 Simo Sorce 2019-02-11 15:39:40 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.