freeipa

Clone
Source Code
GIT

#7757 Invalid PKCS#12 files are treated as if they have bad passwords
Opened 5 years ago by rcritten. Modified 5 years ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Issue

Ticket https://pagure.io/freeipa/issue/5378 attempted to improve error reporting when loading PKCS#12 files.

It treated pk12util returncode 18 as invalid password, like 17. Looking at the NSS source it defines these:

#define PK12UERR_DECODEVERIFY 17
#define PK12UERR_DECODEVALIBAGS 18

So 18 really means that the PKCS#12 file can't be decoded at all, not that it doesn't have a bad password. This is causing key imports to fail because they are not in PKCS#12 format so through an 18.

Steps to Reproduce

  1. $ pk12util -d /etc/pki/nssdb/ -i /etc/group
    Enter password for PKCS12 file: <enter whatever>
    pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
    pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
    pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
    pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
    $ echo $?
    18

This is an inconsistency in pk12util:

$ pk12util -d /etc/pki/nssdb/ -i /tmp/test.p12
Enter password for PKCS12 file:
pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect.
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
$ echo $?
18

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.