pk12util fails to import EC key
Categories
(NSS :: Tools, defect, P3)
Tracking
(Not tracked)
People
(Reporter: franziskus, Unassigned)
Details
We got this on dev-tech-crypto Steps to reproduce: # Create an empty NSS db mkdir nss openssl rand -base64 -out nss/pw 21 certutil -d nss -f nss/pw -N # Generate an EC key/cert openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout key.pem -out cert.pem -days 3650 -nodes -subj "/CN=Test CA" # Export to pkcs12 format openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -name Test # Import to nss db pk12util -i cert.p12 -d nss -k nss/pw # pk12util reports error
Comment 1•5 years ago
|
||
I cannot reproduce this with the latest trunk; looks like it was fixed by bug 1295121.
Comment 2•4 years ago
|
||
I still have it with nss 3.53 (build with debug from FreeBSD ports).
pk12util asks for a password twice and then fails with
pk12util: PKCS12 decode import bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key.
changing the "openssl req" line to
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes -subj "/CN=Test CA"
allows pk12util to say
pk12util: PKCS12 IMPORT SUCCESSFUL
Comment 3•2 years ago
|
||
As it seems (with openssl 1.1.1l)
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -keyout key.pem -out cert.pem -days 3650 -nodes -subj "/CN=Test CA"
generates a certificate with a public key in the explicit encoding of the curve
openssl x509 -pubkey -in cert.pem -noout | openssl asn1parse
0:d=0 hl=4 l= 605 cons: SEQUENCE
4:d=1 hl=4 l= 464 cons: SEQUENCE
8:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
17:d=2 hl=4 l= 451 cons: SEQUENCE
21:d=3 hl=2 l= 1 prim: INTEGER :01
24:d=3 hl=2 l= 77 cons: SEQUENCE
26:d=4 hl=2 l= 7 prim: OBJECT :prime-field
35:d=4 hl=2 l= 66 prim: INTEGER :01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
103:d=3 hl=3 l= 159 cons: SEQUENCE
106:d=4 hl=2 l= 66 prim: OCTET STRING [HEX DUMP]:01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC
174:d=4 hl=2 l= 66 prim: OCTET STRING [HEX DUMP]:0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00
242:d=4 hl=2 l= 21 prim: BIT STRING
265:d=3 hl=3 l= 133 prim: OCTET STRING [HEX DUMP]:0400C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650
401:d=3 hl=2 l= 66 prim: INTEGER :01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
469:d=3 hl=2 l= 1 prim: INTEGER :01
472:d=1 hl=3 l= 134 prim: BIT STRING
changing this to
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp521r1 -pkeyopt ec_param_enc:named_curve -keyout key.pem -out cert.pem -days 3650 -nodes -subj "/CN=Test CA"
generates a certificate with a named public key
openssl x509 -pubkey -in cert.pem -noout | openssl asn1parse
0:d=0 hl=3 l= 155 cons: SEQUENCE
3:d=1 hl=2 l= 16 cons: SEQUENCE
5:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
14:d=2 hl=2 l= 5 prim: OBJECT :secp521r1
21:d=1 hl=3 l= 134 prim: BIT STRING
What is interesting, using "openssl genpkey" does not have this problem - "named_curve" seems to be the default, as documented.
Comment 4•2 years ago
|
||
(forgot to say, named curve certificate can be imported with pk12util)
Updated•2 years ago
|
Updated•1 year ago
|
Description
•