Open Bug 1373733 Opened 7 years ago Updated 2 years ago

PKCS#12 files with scrypt key derivation function are not supported

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Version:
3.28.2
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: hkario, Unassigned)

Details

Description of problem:
Import of PKCS#12 files with scrypt key derivation function is not supported.

How reproducible:
Always

Steps to Reproduce:
1. download https://github.com/redhat-qe-security/keyfile-corpus
2. pk12util -l 'keyfile-corpus-keyfiles-0.1.2/rsa(2048,sha256),cert&key(PBES2(scrypt(salt(64),N(16384),r(8),p(1)),aes-256-cbc(IV(16)))),mac(sha512,salt(64),iter(1000000)),pass(ascii).p12' -v -w keyfile-corpus-keyfiles-0.1.2/password-ascii.txt

Actual results:
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

Expected results:
Key listed

Additional info:
NSS doesn't implement scrypt afaik. Not sure if someone is interesting in implementing scrypt.
I had work-in-progress patches written long ago:
https://github.com/ueno/nss/tree/wip/dueno/scrypt

Although the original request from our internal customer was to add it in a lower level (freebl), it might make some sense to integrate it to PKCS#5 and PKCS#12 and expose it through pk11wrap API.

The missing pieces are:
- add "diversifier" field to the parameters structure, so it can be used for all PKCS#5 operations (suggested by Bob)
- actually use it from PKCS#5 and PKCS#12
- possibly use libscrypt code directly, as there is no conflict between MPL and BSD
- add test cases
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.