1436873 - Exported certificates exceed Windows' password iteration count of 600k

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[phil.boyd]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180205211730

Steps to reproduce:

Exported a personal email certificate using Certificate Manager
supplied a password for the private key
p12 file created


Actual results:

Tried to import the p12 into other browsers and Windows 10 CertMgr; received error that password was invalid


Expected results:

p12 should have been imported into other browsers and CertMgr

Comment 1

[Dana Keeler (she/her) (use needinfo) (:keeler for reviews)]

Can you attach a test certificate to this bug so we can potentially debug the issue?
(fwiw I just tried this out and it seems to work for me - do you have non-ascii characters in your password? That's supposed to work but maybe it broke.)

Comment 2

[phil.boyd]

Should not be an issue - will probably take me a day or two to do this.  BTW - I just tried a very simple password - "abcdabcd", and the import failed.

Comment 3

[Tomaz]

confirmed, same in all cases, FF 59 probably use some advanced crypto, which is not accepted by windows certmgr.msc

problem described also here
https://superuser.com/questions/1295305/certificate-export-from-firefox-import-to-windows-store

both solutions work:
-import to FF57 and export from there
-import to windows keystore using digicert utility

Comment 4

[phil.boyd]

Using FF58 I was able to import/export the certificate correctly, even with a complex password

Comment 5

[J.C. Jones [:jcj] (he/him)]

This looks like it is likely because of the PKCS12 password iterations being increased in Bug 1278071 to 1000000.

Comment 6

[alex_mayorga]

¡Hola!

Ended up here from https://support.mozilla.org/es/questions/1210157

Confirming as this affects the reporter, one commenter and the SuMo question author.

¡Gracias!
Alex

Comment 7

[J.C. Jones [:jcj] (he/him)]

One reporter I've been connected to over email says they're in contact with Microsoft over this issue. I've asked to be connected. It'd be good to know if Windows certmgr.msc supported, say, 9999999 rounds, but not 1000000 -- we could easily make that change.

I don't see reducing back to the Netscape-era level of rounds being acceptable in the general case.

Comment 8

[Hubert Kario]

That change was tested against GnuTLS and OpenSSL so it's unlikely that the file created is actually incorrect
more likely (though quite surprising) is Windows having some hardcoded limit on iteration count

example files with test certificates to see what's the actual difference between working and non-working files would be very helpful

Comment 10

[S.Amposta]

Attachment: Two p12 test files

The file is a Zip with two p12 files. One exported from FF V.58 32bits and the other from FF V.59 64 bits. Both files contain the same (fake) certificate and password 123456. The exported from V59 can't be imported to Chrome or IE

Comment 11

[niek.dieltjens]

I'm having the same issue. Exporting certificate does word but importing it in windows store via (mmc) doesn't work. Getting the invalid password error.

Windows Event viewer displays: "PFX operation failed as Iteration count doesn't lie in expected range. Maximum permissible value: 600000. Erroneous value: 1000000" (as mentioned earlier by J.C. Jones).

Maybe worth mentioning; going to Firefox certificates and instead of clicking on the "Backup" button in the Your Certificates screen, clicking on the code signing certificate, and clicking "View..." That takes me to the Certificate Viewer window, where I click on the Details tab and click the "Export" button. There, I am given the choice of X.509 Certificates. Exporting only the public part does seem to work. I'm able to import those.

Comment 12

[S.Amposta]

It looks like definitively the problem is the number of rounds in the encryption process. According with niek.dieltjens, windows allows up to 600,000, and FF59 uses 1,000,000

Maybe there should be a variable in about:config to set the number of rounds. Depending upon the platform, this variable should be set to the greatest allowed, in windows 600,000. I suppose that to prevent user setting absurd values, there should be hardcoded  a number of valid values i.e. 100,000 200,000 600,000 1,000,000. So, when user sets an invalid value, check it and fallback to one of such valid values.

Comment 13

[J.C. Jones [:jcj] (he/him)]

(In reply to niek.dieltjens from comment #11)
> Windows Event viewer displays: "PFX operation failed as Iteration count
> doesn't lie in expected range. Maximum permissible value: 600000. 

Aha! That's great to know. I've been ping-ponging emails around to people in Microsoft trying to find who could tell me this 600k number. I also want to know if this is going to be raised -- or can be raised -- soon.

I'm going to take that information back to Bug 1278071. It's not an easy process to make this configurable, but we could in theory reduce it down to 600k for 60 and onward.

Comment 14

[Hubert Kario]

(In reply to niek.dieltjens from comment #11)
> I'm having the same issue. Exporting certificate does word but importing it
> in windows store via (mmc) doesn't work. Getting the invalid password error.
> 
> Windows Event viewer displays: "PFX operation failed as Iteration count
> doesn't lie in expected range. Maximum permissible value: 600000. Erroneous
> value: 1000000" (as mentioned earlier by J.C. Jones).
> 
> Maybe worth mentioning; going to Firefox certificates and instead of
> clicking on the "Backup" button in the Your Certificates screen, clicking on
> the code signing certificate, and clicking "View..." That takes me to the
> Certificate Viewer window, where I click on the Details tab and click the
> "Export" button. There, I am given the choice of X.509 Certificates.
> Exporting only the public part does seem to work. I'm able to import those.

that's expected – those files do not use encryption to store certificates so there is no PBKDF parameter to be outside permissible range.

(In reply to J.C. Jones [:jcj] from comment #13)
> (In reply to niek.dieltjens from comment #11)
> > Windows Event viewer displays: "PFX operation failed as Iteration count
> > doesn't lie in expected range. Maximum permissible value: 600000. 
> 
> Aha! That's great to know. I've been ping-ponging emails around to people in
> Microsoft trying to find who could tell me this 600k number. I also want to
> know if this is going to be raised -- or can be raised -- soon.
> 
> I'm going to take that information back to Bug 1278071. It's not an easy
> process to make this configurable, but we could in theory reduce it down to
> 600k for 60 and onward.

I see no problem in decreasing it from 1M to 600k in NSS, though it certainly does create a problem for the future: we will definitely want to increase it to something like 6M in half a decade to a decade...

so them increasing maximum to something like 100M or 1G (to have few decades of breathing room) would be very welcome

Comment 15

[Hubert Kario]

(In reply to S.Amposta from comment #10)
> Created attachment 8961087 [details]
> Two p12 test files
> 
> The file is a Zip with two p12 files. One exported from FF V.58 32bits and
> the other from FF V.59 64 bits. Both files contain the same (fake)
> certificate and password 123456. The exported from V59 can't be imported to
> Chrome or IE

Perfect, thank you.

So the only difference indeed is in iteration count, while 58 uses 100k, 59 uses 1M; both use pbeWithSHA1And40BitRC2-CBC for encryption of the certificate and pbeWithSHA1And3-KeyTripleDES-CBC for encryption of the key and SHA-1 HMAC for integrity.

Comment 18

[J.C. Jones [:jcj] (he/him)]

As an update, this is fixed in Firefox Nightly, and we're tracking uplift of the fix into Beta in bug 1448404.

Comment 19

[Liz Henry (:lizzard Please n-i to RyanVM, jcristau, or pascal)]

Looks like this was fixed in beta 60 in bug 144404 (beta 11)