Bug 1462302 - Import of PKCS#12 files with ECDSA keys without encryption fails
Summary: Import of PKCS#12 files with ECDSA keys without encryption fails
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Hubert Kario
Depends On:
Blocks: rhel7-nss-pkcs12
TreeView+ depends on / blocked
Reported: 2017-06-16 16:32 UTC by Hubert Kario
Modified: 2019-03-04 12:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-02-11 15:41:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1220573 None CLOSED NSS can't handle PKCS#12 files with keys or certificates encrypted using strong PKCS#5 v2.0 ciphers or ones that use SHA... 2019-02-28 09:30:34 UTC
Mozilla Foundation 1295121 None None None 2019-03-04 11:40:48 UTC

Internal Links: 1220573

Description Hubert Kario 2017-06-16 16:32:44 UTC
Description of problem:
When a PKCS#12 file does not use encryption for key nor certificate for ECDSA, the import fails.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. pk12util -i 'keyfile-corpus-keyfiles-0.1.2/ecdsa(P-256,sha256),cert(none),key(none),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' -d sql:nssdb -w keyfile-corpus-keyfiles-0.1.2/password-ascii.txt

Actual results:
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
file imported

Additional info:
Looks like the issue is only with the key part of the PKCS#12 file, not the certificate not being encrypted.

Comment 3 Simo Sorce 2019-02-11 15:41:45 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 4 Daiki Ueno 2019-02-28 09:47:04 UTC
I am not able to reproduce it with the latest packages on RHEL-7.6:
$ pk12util -i 'keyfile-corpus/ecdsa(P-256,sha256),cert(none),key(none),mac(sha1,salt(8),iter(2048)),pass(ascii).p12' -d sql:nssdb -w keyfile-corpus/password-ascii.txt

Given that this was reported against 3.28 while 3.30 has a fix handling ECDSA private keys, I suppose this was already fixed in the previous rebase of NSS to 3.36:

Note You need to log in before you can comment on or make changes to this bug.