Closed Bug 1059692 Opened 7 years ago Closed 7 years ago

RSA PKCS12 import fails in ff31 but works in all previous version

Categories

(Firefox :: Untriaged, defect)

31 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

VERIFIED DUPLICATE of bug 1049435

People

(Reporter: stuartgwilson, Unassigned)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140419230202

Steps to reproduce:

1. Created PKCS12 file using java API. 



Actual results:

2. Imported pkcs12 file successfully into version 30 and previous versions
3. Failed to import the same pkcss12 into version 31. Recevied an error: "The PKCS #12 operation failed for unknown reasons"


Expected results:

The pkcs 12 should have imported successfully.

Further info:
1. The pkcs12 file is attached.
2. I exported the pkcs12 from version 30 and I was then able to successfully import into 31. However I was not able to import the original pkcs12 into version 31.
3. I disabled security.use_mozillapkix_verification, however this did not seem to make a difference.
4. Using the same method to create the PKCS12 I then created an exact replica of the pkcs12 but using ECDSA keys rather than RSA and I was able to import the ECDSA pkcs12 successfully into version 31.

The password for the pkcs12 == Cybertrust1,
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1049435
Hello,

I don't think is a duplicate of bug 1049435 because:

1) I have imported a not importable p12 using the command line pk12util
2) I have exported the p12 from firefox in pkcs#12 format
3) I have deleted the keys imported
4) I have successfully imported the exported p12 into firefox

so I don't think that is something related to "RSA private key fails if p < q"

Regards
GB
(In reply to GB from comment #2)
> Hello,
> 
> I don't think is a duplicate of bug 1049435 because:
> 
> 1) I have imported a not importable p12 using the command line pk12util

Apparently pk12util is not as strict about this as Firefox 31.

> 2) I have exported the p12 from firefox in pkcs#12 format

From Firefox 30, right? Which wasn't as strict. So that's expected.

> 3) I have deleted the keys imported
> 4) I have successfully imported the exported p12 into firefox
> 
> so I don't think that is something related to "RSA private key fails if p <
> q"

In the RSA algorithm, p and q (prime1 and prime2) are interchangeable. If you check your two files by exporting a pem file using openssl pkcs12, and then dump output using:

openssl rsa -in original.pem -text -inform PEM -noout
openssl rsa -in reimported.pem -text -inform PEM -noout

and check the values for prime1 and prime2, you'll see (a) that in the original, prime1 < prime2, and (b) they've been swapped in the reimported cert, presumably by the export functionality from Firefox, which explains why that one works in Firefox 31.

So yes, this is the same issue.
Status: RESOLVED → VERIFIED
Thanks,
I have understood now.

the last question:

from what I have read in bug 1049435 it seem that p<q is a correct check,
but if p and q are are interchangeable, why p<q is checked?

do you have any idea if there will be fix?

Thanks
GB
(In reply to GB from comment #4)
> Thanks,
> I have understood now.
> 
> the last question:
> 
> from what I have read in bug 1049435 it seem that p<q is a correct check,
> but if p and q are are interchangeable, why p<q is checked?

I have no idea. Best ask in that bug, perhaps one of the NSS/spec folks will be able to answer this.

> do you have any idea if there will be fix?

At the moment it doesn't seem like it, but again, one of the NSS folks will know better than me. I work on a completely different part of Firefox - just happen to know a little bit about crypto.
You need to log in before you can comment on or make changes to this bug.