NSS changed passphrase handling for PKCS #12 files using PBES2-based key encryption. PKCS #12 files generated by Dogtag so as to be compatible with NSS <3.31, are now not compatible with NSS.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1353325 for details about the change that occurred in NSS.
This is being considered a regression in NSS and is being addressed there, but we also need to update Dogtag to generate PKCS #12 files that are compatible with NSS right now, and to accept both formats.
Metadata Update from @ftweedal: - Issue assigned to ftweedal
Metadata Update from @ftweedal: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486225 - Custom field type adjusted to None - Custom field version adjusted to None
Gerrit review: https://review.gerrithub.io/#/c/378753/
Pushed to master: * https://github.com/dogtagpki/pki/commit/ed5cccefebf98e588a5385191e43f727349b54a9
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4
Author: Fraser Tweedale ftweedal@redhat.com Date: Thu Sep 14 12:22:47 2017 +1000
Make PKCS #12 files compatible with OpenSSL, NSS >= 3.31 For compatibility with OpenSSL and NSS >= 3.31, the passphrase must not be BMPString-encoded when non-PKCS #12 PBE schemes such as PBES2. Fixes: https://pagure.io/dogtagpki/issue/2809 Change-Id: Ic78ad337ac0b9b2f5d2e75581cc0ee55e6d82782
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.10 (was: 10.4)
Commits (in order):
386357c347f8433e14ccd8637576f4c4a4e42492 bc329a0162ae9af382c81e75742b282ea8c5df0d 9eb354883c9d965bb271223bf870839bb756db26 fa2d731b6ce51c5db9fb0b004d586b8f3e1decd3 8c0a7eee3bbfe01b2d965dbe09e95221c5031c8b
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2929
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.